Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
46VHQmFDxC.exe

Overview

General Information

Sample name:46VHQmFDxC.exe
renamed because original name is a hash value
Original sample name:2b5ceb18f10606859253493d936ae2815b3fed26.exe
Analysis ID:1582809
MD5:ac39e7b10284fe04e5bdb8b588681cb4
SHA1:2b5ceb18f10606859253493d936ae2815b3fed26
SHA256:fc7da967f86d24024700aa2a488ae2ce18c038260d9e2d5067261c9bedbcfaf0
Tags:exeRedLineStealeruser-NDA0E
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 46VHQmFDxC.exe (PID: 7908 cmdline: "C:\Users\user\Desktop\46VHQmFDxC.exe" MD5: AC39E7B10284FE04E5BDB8B588681CB4)
    • conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 8004 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "185.38.142.167:6302", "Authorization Header": "19b166de386548abffc45a63fbb79ca0"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
46VHQmFDxC.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    46VHQmFDxC.exeinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
    • 0x77543:$gen01: ChromeGetRoamingName
    • 0x77568:$gen02: ChromeGetLocalName
    • 0x775ab:$gen03: get_UserDomainName
    • 0x7b442:$gen04: get_encrypted_key
    • 0x7a1c1:$gen05: browserPaths
    • 0x7a497:$gen06: GetBrowsers
    • 0x79d89:$gen07: get_InstalledInputLanguages
    • 0x7624c:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
    • 0x55890:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
    • 0x7b886:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
    • 0x7b924:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
    • 0x7bf8a:$spe9: *wallet*
    • 0x7426a:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
    • 0x74794:$typ03: A937C899247696B6565665BE3BD09607F49A2042
    • 0x74841:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
    • 0x74218:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
    • 0x74241:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
    • 0x74412:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
    • 0x74665:$typ11: 2A19BFD7333718195216588A698752C517111B02
    • 0x74954:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
      • 0x24ccb:$gen01: ChromeGetRoamingName
      • 0x24cf0:$gen02: ChromeGetLocalName
      • 0x24d33:$gen03: get_UserDomainName
      • 0x28bca:$gen04: get_encrypted_key
      • 0x27949:$gen05: browserPaths
      • 0x27c1f:$gen06: GetBrowsers
      • 0x27511:$gen07: get_InstalledInputLanguages
      • 0x239d4:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
      • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
      • 0x2900e:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
      • 0x290ac:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
      • 0x29712:$spe9: *wallet*
      • 0x219f2:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
      • 0x21f1c:$typ03: A937C899247696B6565665BE3BD09607F49A2042
      • 0x21fc9:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
      • 0x219a0:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
      • 0x219c9:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
      • 0x21b9a:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
      • 0x21ded:$typ11: 2A19BFD7333718195216588A698752C517111B02
      • 0x220dc:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
      00000003.00000002.2618697590.00000000006F2000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000000.1371143077.0000000000212000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          Process Memory Space: 46VHQmFDxC.exe PID: 7908JoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.46VHQmFDxC.exe.264678.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0.0.46VHQmFDxC.exe.264678.1.raw.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
              • 0x24ccb:$gen01: ChromeGetRoamingName
              • 0x24cf0:$gen02: ChromeGetLocalName
              • 0x24d33:$gen03: get_UserDomainName
              • 0x28bca:$gen04: get_encrypted_key
              • 0x27949:$gen05: browserPaths
              • 0x27c1f:$gen06: GetBrowsers
              • 0x27511:$gen07: get_InstalledInputLanguages
              • 0x239d4:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
              • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
              • 0x2900e:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
              • 0x290ac:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
              • 0x29712:$spe9: *wallet*
              • 0x219f2:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
              • 0x21f1c:$typ03: A937C899247696B6565665BE3BD09607F49A2042
              • 0x21fc9:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
              • 0x219a0:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
              • 0x219c9:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
              • 0x21b9a:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
              • 0x21ded:$typ11: 2A19BFD7333718195216588A698752C517111B02
              • 0x220dc:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
              0.2.46VHQmFDxC.exe.6d502000.2.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.2.46VHQmFDxC.exe.6d502000.2.raw.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
                • 0x24ccb:$gen01: ChromeGetRoamingName
                • 0x24cf0:$gen02: ChromeGetLocalName
                • 0x24d33:$gen03: get_UserDomainName
                • 0x28bca:$gen04: get_encrypted_key
                • 0x27949:$gen05: browserPaths
                • 0x27c1f:$gen06: GetBrowsers
                • 0x27511:$gen07: get_InstalledInputLanguages
                • 0x239d4:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
                • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
                • 0x2900e:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
                • 0x290ac:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
                • 0x29712:$spe9: *wallet*
                • 0x219f2:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
                • 0x21f1c:$typ03: A937C899247696B6565665BE3BD09607F49A2042
                • 0x21fc9:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
                • 0x219a0:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
                • 0x219c9:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
                • 0x21b9a:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
                • 0x21ded:$typ11: 2A19BFD7333718195216588A698752C517111B02
                • 0x220dc:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
                0.0.46VHQmFDxC.exe.264678.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  Click to see the 9 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 46VHQmFDxC.exeMalware Configuration Extractor: RedLine {"C2 url": "185.38.142.167:6302", "Authorization Header": "19b166de386548abffc45a63fbb79ca0"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\gdi32.dllReversingLabs: Detection: 73%
                  Multi AV Scanner detection for submitted file
                  Source: 46VHQmFDxC.exeVirustotal: Detection: 45%Perma Link
                  Source: 46VHQmFDxC.exeReversingLabs: Detection: 78%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\gdi32.dllJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: 46VHQmFDxC.exeJoe Sandbox ML: detected
                  Source: 46VHQmFDxC.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 46VHQmFDxC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: MSBuild.exe, 00000003.00000002.2620789735.00000000055FB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb8_c source: MSBuild.exe, 00000003.00000002.2619393794.0000000000F08000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32d source: MSBuild.exe, 00000003.00000002.2620789735.0000000005550000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb0tDj source: MSBuild.exe, 00000003.00000002.2620789735.00000000055AD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: MSBuild.exe, 00000003.00000002.2620789735.0000000005600000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: MSBuild.exe, 00000003.00000002.2619393794.0000000000F08000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdba source: MSBuild.exe, 00000003.00000002.2620789735.00000000055AD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbb source: MSBuild.exe, 00000003.00000002.2620789735.0000000005550000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4F4420 FindFirstFileExW,0_2_6D4F4420

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 185.38.142.167:6302
                  Source: global trafficTCP traffic: 192.168.2.10:49702 -> 185.38.142.167:6302
                  Source: global trafficTCP traffic: 192.168.2.10:58226 -> 162.159.36.2:53
                  Source: Joe Sandbox ViewASN Name: NETSOLUTIONSNL NETSOLUTIONSNL
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9q
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Responsex
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Responsex
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Responsex
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Responsex
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Responsex
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Responsex
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Responsex
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Responsex
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Responsex
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Responsex
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Responsex
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Responsex
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Responsex
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Responsex
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Responsex
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Responsex
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Responsex
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Responsex
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Responsex
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Responsex
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Responsex
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Responsex
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Responsex
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9LR
                  Source: MSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Responsex
                  Source: 46VHQmFDxC.exeString found in binary or memory: https://api.ip.sb/ip
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp7327.tmpJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp7338.tmpJump to dropped file

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 46VHQmFDxC.exe, type: SAMPLEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.0.46VHQmFDxC.exe.264678.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.46VHQmFDxC.exe.6d502000.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.0.46VHQmFDxC.exe.264678.1.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.46VHQmFDxC.exe.6d502000.2.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 3.2.MSBuild.exe.6f0000.0.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.0.46VHQmFDxC.exe.210000.0.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.46VHQmFDxC.exe.6d4b0000.1.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  .NET source code contains very large array initializations
                  Source: 46VHQmFDxC.exe, GetWin.csLarge array initialization: GetWindowsOS: array initializer size 650752
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4C69B0 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,VirtualAlloc,NtGetContextThread,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtSetContextThread,NtResumeThread,VirtualAlloc,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtSetContextThread,NtResumeThread,0_2_6D4C69B0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4C55B0 GetModuleHandleW,NtQueryInformationProcess,GetModuleHandleW,0_2_6D4C55B0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4C69B00_2_6D4C69B0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4C55B00_2_6D4C55B0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4BEA100_2_6D4BEA10
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4E3D400_2_6D4E3D40
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4E05600_2_6D4E0560
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4DC1700_2_6D4DC170
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4EC5700_2_6D4EC570
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4D89100_2_6D4D8910
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4EED100_2_6D4EED10
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4E95100_2_6D4E9510
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4D85200_2_6D4D8520
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4E21C00_2_6D4E21C0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4D5DD00_2_6D4D5DD0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4D0DE00_2_6D4D0DE0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4ED9F00_2_6D4ED9F0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4DB9900_2_6D4DB990
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4D8DB00_2_6D4D8DB0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4D15B00_2_6D4D15B0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4E01B00_2_6D4E01B0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4DE4400_2_6D4DE440
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4D48400_2_6D4D4840
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4E78400_2_6D4E7840
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4E08500_2_6D4E0850
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4ED4600_2_6D4ED460
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4D3C100_2_6D4D3C10
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4EC0200_2_6D4EC020
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4D50C00_2_6D4D50C0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4DF0C00_2_6D4DF0C0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4D40A00_2_6D4D40A0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4D78A00_2_6D4D78A0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4C64B00_2_6D4C64B0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4C2B600_2_6D4C2B60
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4DD7700_2_6D4DD770
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4DEB700_2_6D4DEB70
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4EE3700_2_6D4EE370
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4ECF000_2_6D4ECF00
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4DA7300_2_6D4DA730
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4E7BE00_2_6D4E7BE0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4E5BE00_2_6D4E5BE0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4E8FF00_2_6D4E8FF0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4CFF800_2_6D4CFF80
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4E27900_2_6D4E2790
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4CEFA00_2_6D4CEFA0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4E6FA00_2_6D4E6FA0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4D2BB00_2_6D4D2BB0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4DFA400_2_6D4DFA40
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4DA2400_2_6D4DA240
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4E12600_2_6D4E1260
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4D36700_2_6D4D3670
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4D7E700_2_6D4D7E70
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4BE6100_2_6D4BE610
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4DDAC00_2_6D4DDAC0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4E1EC00_2_6D4E1EC0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4E56E00_2_6D4E56E0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4D92F00_2_6D4D92F0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4DF2F00_2_6D4DF2F0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4D9AF00_2_6D4D9AF0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4D12800_2_6D4D1280
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4D96900_2_6D4D9690
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4D32A00_2_6D4D32A0
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4D56B00_2_6D4D56B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_02BFDC743_2_02BFDC74
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_065767D83_2_065767D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0657A3D83_2_0657A3D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_06573F503_2_06573F50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_06576FF83_2_06576FF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_06576FE83_2_06576FE8
                  Source: 46VHQmFDxC.exe, 00000000.00000000.1371248344.00000000002B4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameYvonneXeniaKaitlyn.exePXhT vs 46VHQmFDxC.exe
                  Source: 46VHQmFDxC.exe, 00000000.00000000.1371143077.0000000000298000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSkimping.exe8 vs 46VHQmFDxC.exe
                  Source: 46VHQmFDxC.exe, 00000000.00000002.1377084031.000000000075E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 46VHQmFDxC.exe
                  Source: 46VHQmFDxC.exe, 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenameSkimping.exe8 vs 46VHQmFDxC.exe
                  Source: 46VHQmFDxC.exeBinary or memory string: OriginalFilenameSkimping.exe8 vs 46VHQmFDxC.exe
                  Source: 46VHQmFDxC.exeBinary or memory string: OriginalFilenameYvonneXeniaKaitlyn.exePXhT vs 46VHQmFDxC.exe
                  Source: 46VHQmFDxC.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 46VHQmFDxC.exe, type: SAMPLEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.0.46VHQmFDxC.exe.264678.1.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.46VHQmFDxC.exe.6d502000.2.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.0.46VHQmFDxC.exe.264678.1.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.46VHQmFDxC.exe.6d502000.2.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 3.2.MSBuild.exe.6f0000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.0.46VHQmFDxC.exe.210000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.46VHQmFDxC.exe.6d4b0000.1.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@4/6@0/1
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeFile created: C:\Users\user\AppData\Roaming\gdi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7916:120:WilError_03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp7327.tmpJump to behavior
                  Source: 46VHQmFDxC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 46VHQmFDxC.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 46VHQmFDxC.exeVirustotal: Detection: 45%
                  Source: 46VHQmFDxC.exeReversingLabs: Detection: 78%
                  Source: unknownProcess created: C:\Users\user\Desktop\46VHQmFDxC.exe "C:\Users\user\Desktop\46VHQmFDxC.exe"
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: esdsip.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                  Source: Google Chrome.lnk.3.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: 46VHQmFDxC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: 46VHQmFDxC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: MSBuild.exe, 00000003.00000002.2620789735.00000000055FB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb8_c source: MSBuild.exe, 00000003.00000002.2619393794.0000000000F08000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32d source: MSBuild.exe, 00000003.00000002.2620789735.0000000005550000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb0tDj source: MSBuild.exe, 00000003.00000002.2620789735.00000000055AD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: MSBuild.exe, 00000003.00000002.2620789735.0000000005600000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: MSBuild.exe, 00000003.00000002.2619393794.0000000000F08000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdba source: MSBuild.exe, 00000003.00000002.2620789735.00000000055AD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbb source: MSBuild.exe, 00000003.00000002.2620789735.0000000005550000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_02BFCD08 push ebp; retn 0002h3_2_02BFCD09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0657ECF2 push eax; ret 3_2_0657ED01

                  Persistence and Installation Behavior

                  barindex
                  Installs new ROOT certificates
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeFile created: C:\Users\user\AppData\Roaming\gdi32.dllJump to dropped file
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeMemory allocated: AF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeMemory allocated: 2560000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeMemory allocated: 4560000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1230000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2C60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1230000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exe TID: 7992Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4F4420 FindFirstFileExW,0_2_6D4F4420
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: MSBuild.exe, 00000003.00000002.2620789735.0000000005550000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4F0152 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D4F0152
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4F2D22 mov eax, dword ptr fs:[00000030h]0_2_6D4F2D22
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4F3F61 mov eax, dword ptr fs:[00000030h]0_2_6D4F3F61
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4F0152 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D4F0152
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4EFC27 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6D4EFC27
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4F263C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D4F263C
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6F0000 protect: page execute and read and writeJump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6F0000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6F0000Jump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6F2000Jump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 722000Jump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 740000Jump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6F2000Jump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 722000Jump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 740000Jump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: A87008Jump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4F0318 cpuid 0_2_6D4F0318
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeQueries volume information: C:\Users\user\Desktop\46VHQmFDxC.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\46VHQmFDxC.exeCode function: 0_2_6D4EFD9B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6D4EFD9B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 46VHQmFDxC.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.46VHQmFDxC.exe.264678.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.46VHQmFDxC.exe.6d502000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.46VHQmFDxC.exe.264678.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.46VHQmFDxC.exe.6d502000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.MSBuild.exe.6f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.46VHQmFDxC.exe.210000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.46VHQmFDxC.exe.6d4b0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2618697590.00000000006F2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.1371143077.0000000000212000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 46VHQmFDxC.exe PID: 7908, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8004, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 46VHQmFDxC.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.46VHQmFDxC.exe.264678.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.46VHQmFDxC.exe.6d502000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.46VHQmFDxC.exe.264678.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.46VHQmFDxC.exe.6d502000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.MSBuild.exe.6f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.46VHQmFDxC.exe.210000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.46VHQmFDxC.exe.6d4b0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2618697590.00000000006F2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.1371143077.0000000000212000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 46VHQmFDxC.exe PID: 7908, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8004, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                  DLL Side-Loading                  		311
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		12
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		LSASS Memory111
                  Security Software Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                  Virtualization/Sandbox Evasion                  		Security Account Manager31
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive11
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
                  Process Injection                  		NTDS2
                  File and Directory Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Obfuscated Files or Information                  		LSA Secrets23
                  System Information Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Install Root Certificate                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  46VHQmFDxC.exe46%VirustotalBrowse
                  46VHQmFDxC.exe78%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
                  46VHQmFDxC.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\gdi32.dll100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\gdi32.dll74%ReversingLabsWin32.Trojan.LummaC

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  185.38.142.167:63020%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  bg.microsoft.map.fastly.net
                  		199.232.210.172
                  		truefalse
                    		high
                    default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
                    		217.20.57.43
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      185.38.142.167:6302true
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://tempuri.org/Entity/Id24LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://tempuri.org/Entity/Id22LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/Entity/Id20LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Entity/Id15ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id18ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/soap/envelope/MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id9MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id19LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id17LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id22ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id15LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id9LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id10ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://tempuri.org/Entity/Id19ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id13LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://tempuri.org/Entity/Id7LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://tempuri.org/Entity/Id11LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseMSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id1LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceMSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://tempuri.org/Entity/Id5LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id3LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id6ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id7ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id1ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id21ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9qMSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyMSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://api.ip.sb/ip46VHQmFDxC.exefalse
                                                                                  		high
                                                                                  http://tempuri.org/Entity/Id23ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementMSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id23LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id21LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://tempuri.org/Entity/Id5ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousMSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/Entity/Id14ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://tempuri.org/Entity/Id2ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://tempuri.org/Entity/Id11ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://tempuri.org/Entity/Id20ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedMSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id8ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id18LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id13ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id16ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id16LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id8LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id14LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id6LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/Id12LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tempuri.org/Entity/Id9ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2004/08/addressingMSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://tempuri.org/Entity/Id10LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://tempuri.org/Entity/Id3ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://tempuri.org/Entity/Id4LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://tempuri.org/Entity/Id24ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://tempuri.org/Entity/Id2LRMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/rmMSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessageMSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://tempuri.org/Entity/Id12ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://tempuri.org/Entity/Id17ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceMSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://schemas.xmlsoap.org/soap/actor/nextMSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsMSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://tempuri.org/Entity/Id4ResponsexMSBuild.exe, 00000003.00000002.2619903405.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2619903405.0000000002E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high

                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                          Public IPs

                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                          185.38.142.167
                                                                                                                                                          		unknownPortugal
                                                                                                                                                          		47674NETSOLUTIONSNLtrue

                                                                                                                                                          General Information

                                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                          Analysis ID:1582809
                                                                                                                                                          Start date and time:2024-12-31 15:01:17 +01:00
                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                          Overall analysis duration:0h 6m 18s
                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                          Report type:full
                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                          Number of analysed new started processes analysed:8
                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                          Technologies:
                                                                                                                                                          • HCA enabled
                                                                                                                                                          • EGA enabled
                                                                                                                                                          • AMSI enabled
                                                                                                                                                          Analysis Mode:default
                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                          Sample name:46VHQmFDxC.exe
                                                                                                                                                          renamed because original name is a hash value
                                                                                                                                                          Original Sample Name:2b5ceb18f10606859253493d936ae2815b3fed26.exe
                                                                                                                                                          Detection:MAL
                                                                                                                                                          Classification:mal100.troj.evad.winEXE@4/6@0/1
                                                                                                                                                          EGA Information:
                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                          HCA Information:
                                                                                                                                                          • Successful, ratio: 97%
                                                                                                                                                          • Number of executed functions: 78
                                                                                                                                                          • Number of non-executed functions: 85
                                                                                                                                                          Cookbook Comments:
                                                                                                                                                          • Found application associated with file extension: .exe

                                                                                                                                                          Warnings

                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 4.175.87.197, 217.20.57.43, 40.69.42.241, 13.85.23.206
                                                                                                                                                          • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                          Simulations

                                                                                                                                                          Behavior and APIs

                                                                                                                                                          No simulations

                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                          IPs

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                          185.38.142.167ds1bfe33xg.exeGet hashmaliciousRedLineBrowse

                                                                                                                                                            Domains

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                            bg.microsoft.map.fastly.netvEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                                                                                                                                            • 199.232.214.172
                                                                                                                                                            GYede3Gwn0.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                            • 199.232.210.172
                                                                                                                                                            Qu3ped8inH.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                            • 199.232.210.172
                                                                                                                                                            DIS_37745672.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                                                                                                                                                            • 199.232.214.172
                                                                                                                                                            https://gogl.to/3HGTGet hashmaliciousCAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRATBrowse
                                                                                                                                                            • 199.232.214.172
                                                                                                                                                            222.msiGet hashmaliciousXRedBrowse
                                                                                                                                                            • 199.232.214.172
                                                                                                                                                            universityform.xlsmGet hashmaliciousUnknownBrowse
                                                                                                                                                            • 199.232.210.172
                                                                                                                                                            universityform.xlsmGet hashmaliciousUnknownBrowse
                                                                                                                                                            • 199.232.210.172
                                                                                                                                                            Payment-Order #24560274 for 8,380 USD.exeGet hashmaliciousAsyncRAT, PureLog Stealer, zgRATBrowse
                                                                                                                                                            • 199.232.214.172
                                                                                                                                                            default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comPayment-Order #24560274 for 8,380 USD.exeGet hashmaliciousAsyncRAT, PureLog Stealer, zgRATBrowse
                                                                                                                                                            • 217.20.57.35
                                                                                                                                                            PersonnelPolicies.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                                                                                                                                                            • 217.20.57.37
                                                                                                                                                            EiO4tqZ3o4.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                            • 217.20.58.100
                                                                                                                                                            wce.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                            • 217.20.58.98
                                                                                                                                                            nXNMsYXFFc.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                            • 217.20.58.100
                                                                                                                                                            5RaYXoKFn9.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                                                                                                            • 217.20.58.98
                                                                                                                                                            msgde.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                            • 217.20.58.99
                                                                                                                                                            atw3.dllGet hashmaliciousGozi, UrsnifBrowse
                                                                                                                                                            • 217.20.58.100
                                                                                                                                                            WRD1792.docx.docGet hashmaliciousDynamerBrowse
                                                                                                                                                            • 217.20.58.99
                                                                                                                                                            GtEVo1eO2p.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            • 217.20.58.98

                                                                                                                                                            ASNs

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                            NETSOLUTIONSNLds1bfe33xg.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                            • 185.38.142.167
                                                                                                                                                            PRESUPUEST.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                            • 185.38.142.240
                                                                                                                                                            Aviso de transferencia.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                                                                                                                            • 185.38.142.240
                                                                                                                                                            rUAE_LPO.com.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                                                                                                                            • 185.38.142.240
                                                                                                                                                            A9BripDhRY.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                            • 185.38.142.128
                                                                                                                                                            93.123.85.253-bot.armv4l-2024-08-28T17_49_11.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                            • 188.93.233.79
                                                                                                                                                            a591d3d035cf90395ad1078a415a46b5b44dd813496291b702fe36cfb22dee36_dump.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                            • 185.38.142.10
                                                                                                                                                            b3u71vBG0u.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                            • 185.38.142.10
                                                                                                                                                            2MbHBiqXH2.rtfGet hashmaliciousRedLineBrowse
                                                                                                                                                            • 185.38.142.10
                                                                                                                                                            YPSvIjQCzd.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                            • 185.38.142.10

                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                            No context

                                                                                                                                                            Dropped Files

                                                                                                                                                            No context

                                                                                                                                                            Created / dropped Files

                                                                                                                                                            C:\Users\Public\Desktop\Google Chrome.lnk

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 09:31:46 2023, atime=Mon Oct 2 20:46:56 2023, length=3242272, window=hide
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):2104
                                                                                                                                                            Entropy (8bit):3.469830814055419
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:48:8S3bd6TWk1RYrnvPdAKRkdAGdAKRFdAKRX:8Swix
                                                                                                                                                            MD5:0499B0B9E1F8554008490A39DDA10056
                                                                                                                                                            SHA1:C8A73CE4CB72DDFE3BA47654EDFA0BB6E79940D1
                                                                                                                                                            SHA-256:B8754B790747F829BA898083D1288874530D23CF262C9444728E3C41ABB8AFB5
                                                                                                                                                            SHA-512:BC80F2F3D31F2D0D47D6C1A502833070EAB0E1AF32ECCE397C2F3D4F4595AF447E9DE67D464EAE7139C95539255FB28D154C316BD6E7A7CF381D0678808415D1
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:low
                                                                                                                                                            Preview:L..................F.@.. ......,......=$w...>'..y... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.IEW.S....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VEW.L....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.VEW.L....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.VEW.L...........................k..A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.BW. .chrome.exe..F......CW.VEW.S.............................c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\46VHQmFDxC.exe.log

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\Desktop\46VHQmFDxC.exe
                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):42
                                                                                                                                                            Entropy (8bit):4.0050635535766075
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                                                                                                                            MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                                                                                                                            SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                                                                                                                            SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                                                                                                                            SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                                                                                                                            Malicious:true
                                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\Tmp7327.tmp

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):2662
                                                                                                                                                            Entropy (8bit):7.8230547059446645
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                                            MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                                            SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                                            SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                                            SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                                            Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\Tmp7338.tmp

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):2662
                                                                                                                                                            Entropy (8bit):7.8230547059446645
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                                            MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                                            SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                                            SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                                            SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                                            Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):2251
                                                                                                                                                            Entropy (8bit):7.6290521879457565
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:48:S7SjQDUJK4jtywGuwh20kS5YH5Ux7DVWdjviSt5jtnJdii:ASUDR4EnubtqJghiStlt71
                                                                                                                                                            MD5:6D347163BA96FE2A36CAD1F4C50F351B
                                                                                                                                                            SHA1:A34B54CFF0D192CE28656783F87589D88DB0DDC2
                                                                                                                                                            SHA-256:63B8F5F0645E9644341ACA46DE51DC6BE9AE133A56A5024D4432C1E3A056BAB7
                                                                                                                                                            SHA-512:253B784462D44D22760A62930C5811064C7EDFB96E2679F7FA78551C1FEB8873B3716E9E497E66D06BEA80657BDFDDE5EB465B04139D44907A32C99681341319
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:........'...............P...............{41744BE4-11C5-494C-A213-BA0CE944938E}.....................RSA1..................v..XU~l2_.......vj....b.... ..&...X.Y...=q...).....`.1.0..~......5DL. ..S>.......<..y...*?YOA.... eb.QD..B..<.!..'J..+.'...4fu.z./....]@.y.b...o...).j'......0}B.*j..R..-..2.....'=...@....s....;. .v=..;...\$...G....2S....al.ZQ.Q...w...aXzW.....................z..O......9.ao...H.O.$........,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....}.:.."...7.+.n..#_%#...T............... ....ga.b2.G=G[ 4.....D.h..P.0...k2P.....~..{..I...XY(.$.....~.z..$....p.3M..g?.......W......T...(%...|Xd..x5.4..$....*S.y.|CTd...F.A.cF..ON...e...6]...:.[mkd.QA.{I..d.h._.2...9W7.V0.90h.xF....D(]Z...*B.MV..Ql.a.'.{.f..'..p._...=.{........l"f>z..3.D..(Y..8.T.+.....C....$}(....m-R..!.[.>..E.2.$...D.~.}....Z;=+..{e....B].{...?..X...C.d4..3xz.....x........},... &....v..M.k...1.....K....T.........,d2...9......P.m........'.pB..k.s..S"...$jKUV......

                                                                                                                                                            C:\Users\user\AppData\Roaming\gdi32.dll

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\Desktop\46VHQmFDxC.exe
                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):650752
                                                                                                                                                            Entropy (8bit):6.405343386990597
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:12288:EBSfaEqTMF80CoIvYRC+9Kn/5AI37gy1K4:I4av48cIroKn/5AA7x1K4
                                                                                                                                                            MD5:07CE16EB6B4643175AC5ACC3A15CC02A
                                                                                                                                                            SHA1:51834D46A39105F65D3972E0B79C75A5B1A1CBD2
                                                                                                                                                            SHA-256:174AA2135CBB50558FF4E54A4BA11A4B828559DFD0C31FB0463A364FC532BB9D
                                                                                                                                                            SHA-512:E117FCE03F171EFA94128CA821A2DE0504F72B565E7F15DE8FCD54FBC2477B1AC817C966FEF4EDF39EA02A9CA30E3BFF8FD51EF96A326729662CF96C7EF38BED
                                                                                                                                                            Malicious:true
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 74%
                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........b.....................A..................{w....................................................Rich...........................PE..L....png...........!.........\............................................... ............@.............................|...|...P...............................p*..l...................................@...............T............................text............................... ..`.rdata..Re.......f..................@..@.data........ ......................@....reloc..p*.......,..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            Static File Info

                                                                                                                                                            General

                                                                                                                                                            File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                            Entropy (8bit):6.393390788461558
                                                                                                                                                            TrID:
                                                                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                            File name:46VHQmFDxC.exe
                                                                                                                                                            File size:662'528 bytes
                                                                                                                                                            MD5:ac39e7b10284fe04e5bdb8b588681cb4
                                                                                                                                                            SHA1:2b5ceb18f10606859253493d936ae2815b3fed26
                                                                                                                                                            SHA256:fc7da967f86d24024700aa2a488ae2ce18c038260d9e2d5067261c9bedbcfaf0
                                                                                                                                                            SHA512:0fbff528fe6962f4695be585e8a666af8d4576d75cf37d20e95658e7b1d81bebc0e308b7c4032be139768b077b08e19ed9d474d04a87c0609bac04258ccde809
                                                                                                                                                            SSDEEP:12288:tHQNnEONUb9/6VQBDthHcUzsMyl2zkoF:tqnEldUUfyl2z
                                                                                                                                                            TLSH:75E4085F13BEE608F05A02709995F1765DF1EEA6E403C9F107D42C6B38A5A20EBDCD62
                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....png..............0.............n@... ...@....@.. ....................................@................................

                                                                                                                                                            File Icon

                                                                                                                                                            Icon Hash:90cececece8e8eb0

                                                                                                                                                            Static PE Info

                                                                                                                                                            General

                                                                                                                                                            Entrypoint:0x40406e
                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                            Digitally signed:false
                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                            Subsystem:windows cui
                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                            Time Stamp:0x676E700D [Fri Dec 27 09:14:53 2024 UTC]
                                                                                                                                                            TLS Callbacks:
                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                            OS Version Major:4
                                                                                                                                                            OS Version Minor:0
                                                                                                                                                            File Version Major:4
                                                                                                                                                            File Version Minor:0
                                                                                                                                                            Subsystem Version Major:4
                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                            Entrypoint Preview

                                                                                                                                                            Instruction
                                                                                                                                                            jmp dword ptr [00402000h]
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            jnl 00007F67188212E2h
                                                                                                                                                            cmp cl, dl

                                                                                                                                                            Data Directories

                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x401c0x4f.text
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x65c.rsrc
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xa60000xc.reloc
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                            Sections

                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                            .text0x20000xa0e780xa10008dd1bcd2bb11c07badb53ca12f4a718cFalse0.3851386597437888data6.402565462771295IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                            .rsrc0xa40000x65c0x80062c1e5e1d4003b9e342aac1547aaf411False0.3525390625data3.6062262772921683IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                            .reloc0xa60000xc0x2005dbda4a38bd7d993b0957a10cb682415False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                            Resources

                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                            RT_VERSION0xa40900x3ccdata0.42489711934156377
                                                                                                                                                            RT_MANIFEST0xa446c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                            Imports

                                                                                                                                                            DLLImport
                                                                                                                                                            mscoree.dll_CorExeMain

                                                                                                                                                            Network Behavior

                                                                                                                                                            Network Port Distribution

                                                                                                                                                            TCP Packets

                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                            Dec 31, 2024 15:02:17.527473927 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.601995945 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.605024099 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.605528116 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.605541945 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.605638027 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.608050108 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.608110905 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.612875938 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.628099918 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.628113985 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.628204107 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.630876064 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.630944967 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.635710955 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.707417965 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.707442045 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.707524061 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.710364103 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.710530043 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.715363979 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.719059944 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.721729994 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.732026100 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.732053041 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.732156038 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.734780073 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.734780073 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.739634037 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.810964108 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.810980082 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.811072111 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.814060926 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.814156055 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.819447041 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.822925091 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.825503111 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.835062027 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.835078001 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.835175991 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.837635040 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.837726116 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.842521906 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.913427114 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.913444042 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.913567066 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.916321993 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.916419983 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.921314001 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.927450895 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.930195093 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.936232090 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.936248064 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:17.936319113 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.938668966 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.939749002 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:17.944546938 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.018810034 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.018831968 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.018927097 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.022450924 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.023304939 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.028099060 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.035116911 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.037564039 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.042653084 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.042665958 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.042721987 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.044935942 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.045655966 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.050406933 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.126141071 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.126158953 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.126220942 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.128998995 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.129092932 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.134356976 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.140986919 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.143708944 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.146425962 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.146441936 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.146501064 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.148654938 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.148725033 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.153496027 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.198564053 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.229711056 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.229727983 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.229800940 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.232604980 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.232793093 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.237622023 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.237766027 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.244535923 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.247345924 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.249456882 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.249473095 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.249535084 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.252238989 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.252269983 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.257173061 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.333580017 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.333597898 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.333682060 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.348169088 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.351562023 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.351583004 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.351660013 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.359285116 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.365835905 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.366390944 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.367110968 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.370129108 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.370688915 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.372097015 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.418481112 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.463284016 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.465882063 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.465893984 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.465981960 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.467778921 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.467793941 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.467852116 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.556833982 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.589112043 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.593975067 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.617089033 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.618120909 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.619168043 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.621912003 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.622920990 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.623931885 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.632571936 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.637382030 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.687638998 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.687654018 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.687760115 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.715194941 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.718295097 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.718332052 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.718374968 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.718400002 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.720074892 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.728418112 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.731657982 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.733241081 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.738143921 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.741173029 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.786530018 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.809298038 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.827570915 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.827689886 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.832542896 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.832564116 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.832627058 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.866563082 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.867295980 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.871402979 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.872102976 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.889322996 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.889764071 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.894243956 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.894536018 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.918406963 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.967542887 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.967557907 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.967752934 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.975570917 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.981170893 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:18.985968113 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.997661114 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.997675896 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:18.997745991 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.070651054 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.071257114 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.075139999 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.076096058 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.077043056 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.088601112 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.088656902 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.146014929 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.146645069 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.151503086 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.171030045 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.173870087 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.173885107 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.173966885 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.218885899 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.248188972 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.248210907 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.248308897 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.398112059 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.398591042 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.404872894 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.406414032 CET49674443192.168.2.10173.222.162.55
                                                                                                                                                            Dec 31, 2024 15:02:19.407773018 CET49675443192.168.2.10173.222.162.55
                                                                                                                                                            Dec 31, 2024 15:02:19.409945965 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.417640924 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.419032097 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.422513008 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.466558933 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.507194042 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.518982887 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.523941040 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.536129951 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.555938959 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.555954933 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.556056976 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.559103966 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.567631006 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.572516918 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.576220036 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.598063946 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.621179104 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.647511005 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.662906885 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.669116974 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.669141054 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.669208050 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.671338081 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.672219992 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.677644014 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.717187881 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.720254898 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.758774042 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.761717081 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.767194033 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.769264936 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.771931887 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.771948099 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.772022009 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.773989916 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.774100065 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.778815985 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.822506905 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.857927084 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.861867905 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.862781048 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.862864971 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.864779949 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.866674900 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.869700909 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.874330997 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.874345064 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.874411106 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.878639936 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.879722118 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.884778976 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.953668118 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.956521988 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.974468946 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.977284908 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.978688955 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.978704929 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:19.978759050 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.980758905 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.982367992 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:19.985671043 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.030514956 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.052297115 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.056170940 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.061021090 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.069602013 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.071866035 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.082815886 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.082830906 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.082914114 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.085083961 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.085201979 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.090032101 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.152101040 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.154619932 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.167656898 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.169847965 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.180850983 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.182826042 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.186206102 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.186220884 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.186317921 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.188796043 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.188929081 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.193603992 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.234498978 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.269608021 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.272526026 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.277406931 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.282367945 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.284745932 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.288054943 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.288069963 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.288140059 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.290461063 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.290461063 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.295275927 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.338557959 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.368419886 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.371200085 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.376065969 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.378972054 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.380902052 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.386271954 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.388242006 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.391113043 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.391139984 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.391242981 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.391242981 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.393362999 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.393523932 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.398168087 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.445871115 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.481221914 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.483998060 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.488981962 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.490125895 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.492311001 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.512626886 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.512643099 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.512721062 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.515003920 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.515027046 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.519768953 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.588171005 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.590717077 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.611799002 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.614588976 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.619831085 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.622345924 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.631407022 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.631419897 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.631529093 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.633915901 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.633960009 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.638747931 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.710315943 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.713546991 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.722218037 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.724980116 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.729681015 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.731872082 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.732887030 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.732902050 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.732985020 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.735215902 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.735403061 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.740035057 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.782507896 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.820683956 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.823791981 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.823864937 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.824126005 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.826020002 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.828613997 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.830820084 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.830997944 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.833080053 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.835839987 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.835854053 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.835916042 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.835928917 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.837975025 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.838077068 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.842729092 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.890480042 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.927678108 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.930771112 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.932225943 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.932240009 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.932313919 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.934557915 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.934711933 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.935550928 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.939218998 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.939233065 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.939424992 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.939485073 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:20.941689014 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.941807985 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:20.946647882 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.030143023 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.033937931 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.035140038 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.035156012 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.035294056 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.037640095 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.037749052 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.042298079 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.042323112 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.042448044 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.042498112 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.044956923 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.045032978 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.049843073 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.143707991 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.143742085 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.144264936 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.147423029 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.148257017 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.148278952 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.148327112 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.148341894 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.152391911 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.154086113 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.154674053 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.157198906 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.159486055 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.246912003 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.248688936 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.248769045 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.252193928 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.252255917 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.255753994 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.255773067 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.255857944 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.255857944 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.257045031 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.259980917 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.260318995 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.265155077 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.339000940 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.342536926 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.351280928 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.351301908 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.351357937 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.354739904 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.354887009 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.359673977 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.361933947 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.361953974 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.361999035 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.364425898 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.364806890 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.369519949 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.464185953 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.464205027 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.464215994 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.464245081 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.467987061 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.468044043 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.468380928 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.472862005 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.480814934 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.480842113 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.480885983 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.484492064 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.484566927 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.489607096 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.500123024 CET49677443192.168.2.1020.42.65.85
                                                                                                                                                            Dec 31, 2024 15:02:21.577038050 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.577064991 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.577163935 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.580332994 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.580568075 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.580643892 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.582863092 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.585541010 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.585608959 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.585623026 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.585670948 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.585686922 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.588057995 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.588202000 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.592875957 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.638526917 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.680425882 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.682600021 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.682612896 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.682665110 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.685380936 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.685811996 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.686722994 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.689862967 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.689877033 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.689945936 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.690198898 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.690601110 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.691478968 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.692349911 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.693111897 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.697171926 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.697976112 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.783730030 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.786633968 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.786633968 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.786648035 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.786695957 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.790775061 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.791410923 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.792330980 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.793776035 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.793787956 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.793842077 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.797142982 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.798180103 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.799504042 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.804357052 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.885270119 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.888984919 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.893620968 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.893646002 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.893676043 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.893716097 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.896739006 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.896832943 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.898914099 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.898929119 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.898979902 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.901402950 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.901679039 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.901818991 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.906577110 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.989867926 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.992968082 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.997191906 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.997262955 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.997467995 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:21.997518063 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.999738932 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:21.999758959 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.004884958 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.006252050 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.006267071 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.006314039 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.017649889 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.018342972 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.023150921 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.095942974 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.098757029 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.098782063 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.098835945 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.111287117 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.112498045 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.116853952 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.117306948 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.126365900 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.126380920 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.126426935 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.130209923 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.130970955 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.135772943 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.212661028 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.215636015 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.215653896 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.215822935 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.216461897 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.218252897 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.218369007 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.223061085 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.231122017 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.231141090 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.231208086 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.234457016 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.235101938 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.240118027 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.317441940 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.317459106 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.317539930 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.320692062 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.321088076 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.322029114 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.324147940 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.325922966 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.336029053 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.336047888 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.336240053 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.339154959 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.339292049 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.344115019 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.420347929 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.424093008 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.426012039 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.426035881 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.426079035 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.426147938 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.428714991 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.429109097 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.433558941 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.447177887 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.447200060 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.447283030 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.450248003 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.450464010 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.463516951 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.524550915 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.527674913 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.530539036 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.530560970 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.530608892 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.530608892 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.533034086 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.535706043 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.537837982 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.562402964 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.562417030 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.562489033 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.565500975 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.565598965 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.570369959 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.628858089 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.631577969 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.634141922 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.634160042 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.634228945 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.636754990 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.636842012 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.641550064 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.667339087 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.667355061 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.667474031 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.732855082 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.737507105 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.737540007 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.737658024 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.843956947 CET49671443192.168.2.10204.79.197.203
                                                                                                                                                            Dec 31, 2024 15:02:22.925205946 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.926424026 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.926795006 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.927138090 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.927278996 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:22.931328058 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:22.932044983 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.023598909 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.026842117 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.026854992 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.026952982 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.027229071 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.027287006 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.027309895 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.029277086 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.033679008 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.035006046 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.035085917 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.036256075 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.038480997 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.039854050 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.082523108 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.127927065 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.132091045 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.132105112 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.132165909 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.138649940 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.138663054 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.138674021 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.138696909 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.138756037 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.140311003 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.140321970 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.140336990 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.140348911 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.140383959 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.140422106 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.218853951 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.221513987 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.225483894 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.226329088 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.245158911 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.248358011 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.250078917 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.254101038 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.280745983 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.289084911 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.320975065 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.332299948 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.350183964 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.350271940 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.350342989 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.354201078 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.361253023 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.361272097 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.361388922 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.366667032 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.369901896 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.374820948 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.428232908 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.431643009 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.463768005 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.463788986 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.463953972 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.467995882 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.469096899 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.514506102 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.515758038 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.527381897 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.553549051 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.553613901 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:23.644164085 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:23.703278065 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:02:28.221113920 CET497026302192.168.2.10185.38.142.167
                                                                                                                                                            Dec 31, 2024 15:02:28.225989103 CET630249702185.38.142.167192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:28.226078987 CET497026302192.168.2.10185.38.142.167
                                                                                                                                                            Dec 31, 2024 15:02:28.243810892 CET497026302192.168.2.10185.38.142.167
                                                                                                                                                            Dec 31, 2024 15:02:28.248603106 CET630249702185.38.142.167192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:29.015783072 CET49674443192.168.2.10173.222.162.55
                                                                                                                                                            Dec 31, 2024 15:02:29.015810013 CET49675443192.168.2.10173.222.162.55
                                                                                                                                                            Dec 31, 2024 15:02:31.109671116 CET49677443192.168.2.1020.42.65.85
                                                                                                                                                            Dec 31, 2024 15:02:49.602500916 CET630249702185.38.142.167192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:49.602586985 CET497026302192.168.2.10185.38.142.167
                                                                                                                                                            Dec 31, 2024 15:02:49.628359079 CET497026302192.168.2.10185.38.142.167
                                                                                                                                                            Dec 31, 2024 15:02:54.644763947 CET497066302192.168.2.10185.38.142.167
                                                                                                                                                            Dec 31, 2024 15:02:54.649636030 CET630249706185.38.142.167192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:02:54.649719954 CET497066302192.168.2.10185.38.142.167
                                                                                                                                                            Dec 31, 2024 15:02:54.650017977 CET497066302192.168.2.10185.38.142.167
                                                                                                                                                            Dec 31, 2024 15:02:54.654824018 CET630249706185.38.142.167192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:03:07.258022070 CET5822653192.168.2.10162.159.36.2
                                                                                                                                                            Dec 31, 2024 15:03:07.262831926 CET5358226162.159.36.2192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:03:07.262967110 CET5822653192.168.2.10162.159.36.2
                                                                                                                                                            Dec 31, 2024 15:03:07.263108015 CET5822653192.168.2.10162.159.36.2
                                                                                                                                                            Dec 31, 2024 15:03:07.267847061 CET5358226162.159.36.2192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:03:07.715683937 CET5358226162.159.36.2192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:03:07.716490030 CET5822653192.168.2.10162.159.36.2
                                                                                                                                                            Dec 31, 2024 15:03:07.721445084 CET5358226162.159.36.2192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:03:07.721515894 CET5822653192.168.2.10162.159.36.2
                                                                                                                                                            Dec 31, 2024 15:03:16.062514067 CET630249706185.38.142.167192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:03:16.062661886 CET497066302192.168.2.10185.38.142.167
                                                                                                                                                            Dec 31, 2024 15:03:16.063055992 CET497066302192.168.2.10185.38.142.167
                                                                                                                                                            Dec 31, 2024 15:03:21.080064058 CET582296302192.168.2.10185.38.142.167
                                                                                                                                                            Dec 31, 2024 15:03:21.084995031 CET630258229185.38.142.167192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:03:21.085120916 CET582296302192.168.2.10185.38.142.167
                                                                                                                                                            Dec 31, 2024 15:03:21.085494995 CET582296302192.168.2.10185.38.142.167
                                                                                                                                                            Dec 31, 2024 15:03:21.090274096 CET630258229185.38.142.167192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:03:42.479213953 CET630258229185.38.142.167192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:03:42.479352951 CET582296302192.168.2.10185.38.142.167
                                                                                                                                                            Dec 31, 2024 15:03:42.479696989 CET582296302192.168.2.10185.38.142.167
                                                                                                                                                            Dec 31, 2024 15:03:47.486526012 CET582306302192.168.2.10185.38.142.167
                                                                                                                                                            Dec 31, 2024 15:03:47.491309881 CET630258230185.38.142.167192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:03:47.491529942 CET582306302192.168.2.10185.38.142.167
                                                                                                                                                            Dec 31, 2024 15:03:47.491648912 CET582306302192.168.2.10185.38.142.167
                                                                                                                                                            Dec 31, 2024 15:03:47.496407986 CET630258230185.38.142.167192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:03:53.569931984 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:03:53.570214987 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:03:53.570302010 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:03:53.570791006 CET49701443192.168.2.1013.107.246.45
                                                                                                                                                            Dec 31, 2024 15:03:53.578632116 CET4434970113.107.246.45192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:04:08.854748964 CET630258230185.38.142.167192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:04:08.854921103 CET582306302192.168.2.10185.38.142.167
                                                                                                                                                            Dec 31, 2024 15:04:08.855304003 CET582306302192.168.2.10185.38.142.167
                                                                                                                                                            Dec 31, 2024 15:04:13.862313032 CET582316302192.168.2.10185.38.142.167
                                                                                                                                                            Dec 31, 2024 15:04:13.867153883 CET630258231185.38.142.167192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:04:13.870332003 CET582316302192.168.2.10185.38.142.167
                                                                                                                                                            Dec 31, 2024 15:04:13.870609999 CET582316302192.168.2.10185.38.142.167
                                                                                                                                                            Dec 31, 2024 15:04:13.875387907 CET630258231185.38.142.167192.168.2.10

                                                                                                                                                            UDP Packets

                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                            Dec 31, 2024 15:03:07.257273912 CET5355970162.159.36.2192.168.2.10
                                                                                                                                                            Dec 31, 2024 15:03:07.728368998 CET53554511.1.1.1192.168.2.10

                                                                                                                                                            DNS Answers

                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                            Dec 31, 2024 15:02:40.999761105 CET1.1.1.1192.168.2.100x8ff5No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                            Dec 31, 2024 15:02:40.999761105 CET1.1.1.1192.168.2.100x8ff5No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.43A (IP address)IN (0x0001)false
                                                                                                                                                            Dec 31, 2024 15:02:40.999761105 CET1.1.1.1192.168.2.100x8ff5No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.19A (IP address)IN (0x0001)false
                                                                                                                                                            Dec 31, 2024 15:02:40.999761105 CET1.1.1.1192.168.2.100x8ff5No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.21A (IP address)IN (0x0001)false
                                                                                                                                                            Dec 31, 2024 15:02:40.999761105 CET1.1.1.1192.168.2.100x8ff5No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.22A (IP address)IN (0x0001)false
                                                                                                                                                            Dec 31, 2024 15:02:40.999761105 CET1.1.1.1192.168.2.100x8ff5No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.42A (IP address)IN (0x0001)false
                                                                                                                                                            Dec 31, 2024 15:02:40.999761105 CET1.1.1.1192.168.2.100x8ff5No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.23A (IP address)IN (0x0001)false
                                                                                                                                                            Dec 31, 2024 15:02:40.999761105 CET1.1.1.1192.168.2.100x8ff5No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.24A (IP address)IN (0x0001)false
                                                                                                                                                            Dec 31, 2024 15:02:40.999761105 CET1.1.1.1192.168.2.100x8ff5No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.38A (IP address)IN (0x0001)false
                                                                                                                                                            Dec 31, 2024 15:02:54.227797031 CET1.1.1.1192.168.2.100x3551No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                            Dec 31, 2024 15:02:54.227797031 CET1.1.1.1192.168.2.100x3551No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                                                                                                                                            Statistics

                                                                                                                                                            CPU Usage

                                                                                                                                                            Click to jump to process

                                                                                                                                                            Memory Usage

                                                                                                                                                            Click to jump to process

                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                            Behavior

                                                                                                                                                            Click to jump to process

                                                                                                                                                            System Behavior

                                                                                                                                                            General

                                                                                                                                                            Target ID:0
                                                                                                                                                            Start time:09:02:21
                                                                                                                                                            Start date:31/12/2024
                                                                                                                                                            Path:C:\Users\user\Desktop\46VHQmFDxC.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:"C:\Users\user\Desktop\46VHQmFDxC.exe"
                                                                                                                                                            Imagebase:0x210000
                                                                                                                                                            File size:662'528 bytes
                                                                                                                                                            MD5 hash:AC39E7B10284FE04E5BDB8B588681CB4
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Yara matches:
                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: infostealer_win_redline_strings, Description: Finds Redline samples based on characteristic strings, Source: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmp, Author: Sekoia.io
                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.1371143077.0000000000212000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                            Reputation:low
                                                                                                                                                            Has exited:true

                                                                                                                                                            General

                                                                                                                                                            Target ID:1
                                                                                                                                                            Start time:09:02:21
                                                                                                                                                            Start date:31/12/2024
                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                            Imagebase:0x7ff620390000
                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high
                                                                                                                                                            Has exited:false

                                                                                                                                                            General

                                                                                                                                                            Target ID:3
                                                                                                                                                            Start time:09:02:22
                                                                                                                                                            Start date:31/12/2024
                                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                                                            Imagebase:0x890000
                                                                                                                                                            File size:262'432 bytes
                                                                                                                                                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Yara matches:
                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2618697590.00000000006F2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                            Reputation:high
                                                                                                                                                            Has exited:false

                                                                                                                                                            Disassembly

                                                                                                                                                            Reset < >

                                                                                                                                                              Execution Graph

                                                                                                                                                              Execution Coverage:12.3%
                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                              Signature Coverage:10.7%
                                                                                                                                                              Total number of Nodes:1474
                                                                                                                                                              Total number of Limit Nodes:13
                                                                                                                                                              execution_graph 12641 6d4f32cf 12642 6d4f32e7 12641->12642 12643 6d4f32e1 12641->12643 12645 6d4f325c 12643->12645 12649 6d4f3269 12645->12649 12650 6d4f3286 12645->12650 12646 6d4f3280 12648 6d4f3f27 _free 14 API calls 12646->12648 12647 6d4f3f27 _free 14 API calls 12647->12649 12648->12650 12649->12646 12649->12647 12650->12642 12651 6d4eff4f 12652 6d4eff57 ___scrt_release_startup_lock 12651->12652 12655 6d4f2a0c 12652->12655 12654 6d4eff7f 12656 6d4f2a1f 12655->12656 12657 6d4f2a1b 12655->12657 12660 6d4f2a2c 12656->12660 12657->12654 12661 6d4f3d3e _free 14 API calls 12660->12661 12662 6d4f2a28 12661->12662 12662->12654 12663 6d4f318c 12664 6d4f31a1 12663->12664 12665 6d4f401e _free 14 API calls 12664->12665 12676 6d4f31c8 12665->12676 12666 6d4f322d 12667 6d4f3f27 _free 14 API calls 12666->12667 12668 6d4f3247 12667->12668 12669 6d4f401e _free 14 API calls 12669->12676 12670 6d4f322f 12671 6d4f325c 14 API calls 12670->12671 12673 6d4f3235 12671->12673 12674 6d4f3f27 _free 14 API calls 12673->12674 12674->12666 12675 6d4f324f 12689 6d4f2815 IsProcessorFeaturePresent 12675->12689 12676->12666 12676->12669 12676->12670 12676->12675 12678 6d4f3f27 _free 14 API calls 12676->12678 12680 6d4f3671 12676->12680 12678->12676 12679 6d4f325b 12681 6d4f368c 12680->12681 12682 6d4f367e 12680->12682 12683 6d4f400b _free 14 API calls 12681->12683 12682->12681 12687 6d4f36a3 12682->12687 12684 6d4f3694 12683->12684 12685 6d4f27e8 ___std_exception_copy 25 API calls 12684->12685 12686 6d4f369e 12685->12686 12686->12676 12687->12686 12688 6d4f400b _free 14 API calls 12687->12688 12688->12684 12690 6d4f2821 12689->12690 12693 6d4f263c 12690->12693 12694 6d4f2658 __DllMainCRTStartup@12 std::bad_exception::bad_exception 12693->12694 12695 6d4f2684 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12694->12695 12696 6d4f2755 __DllMainCRTStartup@12 12695->12696 12697 6d4ef850 _ValidateLocalCookies 5 API calls 12696->12697 12698 6d4f2773 GetCurrentProcess TerminateProcess 12697->12698 12698->12679 12011 6d4ef8c4 12012 6d4ef8cf 12011->12012 12013 6d4ef902 12011->12013 12015 6d4ef8f4 12012->12015 12016 6d4ef8d4 12012->12016 12050 6d4efa1e 12013->12050 12023 6d4ef917 12015->12023 12018 6d4ef8ea 12016->12018 12019 6d4ef8d9 12016->12019 12042 6d4eff23 12018->12042 12022 6d4ef8de 12019->12022 12037 6d4eff42 12019->12037 12024 6d4ef923 ___scrt_is_nonwritable_in_current_image 12023->12024 12077 6d4effb3 12024->12077 12026 6d4ef98d ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 12026->12022 12027 6d4ef92a __DllMainCRTStartup@12 12027->12026 12028 6d4efa16 12027->12028 12029 6d4ef951 12027->12029 12093 6d4f0152 IsProcessorFeaturePresent 12028->12093 12085 6d4eff15 12029->12085 12032 6d4efa1d 12033 6d4ef960 __RTC_Initialize 12033->12026 12088 6d4efe33 InitializeSListHead 12033->12088 12035 6d4ef96e 12035->12026 12089 6d4efeea 12035->12089 12175 6d4f35eb 12037->12175 12267 6d4f1ee0 12042->12267 12046 6d4eff3f 12046->12022 12048 6d4f1eeb 21 API calls 12049 6d4eff2c 12048->12049 12049->12022 12052 6d4efa2a ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 12050->12052 12051 6d4efa33 12051->12022 12052->12051 12053 6d4efa5b 12052->12053 12054 6d4efac6 12052->12054 12287 6d4eff83 12053->12287 12055 6d4f0152 __DllMainCRTStartup@12 4 API calls 12054->12055 12059 6d4efacd ___scrt_is_nonwritable_in_current_image 12055->12059 12057 6d4efa60 12296 6d4efe3f 12057->12296 12061 6d4efb03 dllmain_raw 12059->12061 12062 6d4efae9 12059->12062 12063 6d4efafe 12059->12063 12060 6d4efa65 __RTC_Initialize __DllMainCRTStartup@12 12299 6d4f0124 12060->12299 12061->12062 12064 6d4efb1d dllmain_crt_dispatch 12061->12064 12062->12022 12308 6d4cefa0 12063->12308 12064->12062 12064->12063 12070 6d4efb78 dllmain_crt_dispatch 12070->12062 12072 6d4efb8b dllmain_raw 12070->12072 12071 6d4efb6f 12071->12062 12071->12070 12072->12062 12073 6d4cefa0 __DllMainCRTStartup@12 5 API calls 12074 6d4efb56 12073->12074 12075 6d4efa1e __DllMainCRTStartup@12 79 API calls 12074->12075 12076 6d4efb64 dllmain_raw 12075->12076 12076->12071 12078 6d4effbc 12077->12078 12097 6d4f0318 IsProcessorFeaturePresent 12078->12097 12082 6d4effcd 12083 6d4effd1 12082->12083 12107 6d4f1ef6 12082->12107 12083->12027 12169 6d4effec 12085->12169 12087 6d4eff1c 12087->12033 12088->12035 12090 6d4efeef ___scrt_release_startup_lock 12089->12090 12091 6d4f0318 IsProcessorFeaturePresent 12090->12091 12092 6d4efef8 12090->12092 12091->12092 12092->12026 12094 6d4f0168 __DllMainCRTStartup@12 std::bad_exception::bad_exception 12093->12094 12095 6d4f0213 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12094->12095 12096 6d4f025e __DllMainCRTStartup@12 12095->12096 12096->12032 12098 6d4effc8 12097->12098 12099 6d4f1ec1 12098->12099 12113 6d4f22f7 12099->12113 12102 6d4f1eca 12102->12082 12104 6d4f1ed2 12105 6d4f1edd 12104->12105 12127 6d4f2333 12104->12127 12105->12082 12108 6d4f1eff 12107->12108 12109 6d4f1f09 12107->12109 12110 6d4f22dc ___vcrt_uninitialize_ptd 6 API calls 12108->12110 12109->12083 12111 6d4f1f04 12110->12111 12112 6d4f2333 ___vcrt_uninitialize_locks DeleteCriticalSection 12111->12112 12112->12109 12115 6d4f2300 12113->12115 12116 6d4f2329 12115->12116 12117 6d4f1ec6 12115->12117 12131 6d4f2565 12115->12131 12118 6d4f2333 ___vcrt_uninitialize_locks DeleteCriticalSection 12116->12118 12117->12102 12119 6d4f22a9 12117->12119 12118->12117 12150 6d4f2476 12119->12150 12122 6d4f22be 12122->12104 12125 6d4f22d9 12125->12104 12128 6d4f235d 12127->12128 12129 6d4f233e 12127->12129 12128->12102 12130 6d4f2348 DeleteCriticalSection 12129->12130 12130->12128 12130->12130 12136 6d4f242d 12131->12136 12134 6d4f259d InitializeCriticalSectionAndSpinCount 12135 6d4f2588 12134->12135 12135->12115 12137 6d4f2445 12136->12137 12138 6d4f2468 12136->12138 12137->12138 12142 6d4f2393 12137->12142 12138->12134 12138->12135 12141 6d4f245a GetProcAddress 12141->12138 12147 6d4f239f ___vcrt_InitializeCriticalSectionEx 12142->12147 12143 6d4f2413 12143->12138 12143->12141 12144 6d4f23b5 LoadLibraryExW 12145 6d4f241a 12144->12145 12146 6d4f23d3 GetLastError 12144->12146 12145->12143 12148 6d4f2422 FreeLibrary 12145->12148 12146->12147 12147->12143 12147->12144 12149 6d4f23f5 LoadLibraryExW 12147->12149 12148->12143 12149->12145 12149->12147 12151 6d4f242d ___vcrt_InitializeCriticalSectionEx 5 API calls 12150->12151 12152 6d4f2490 12151->12152 12153 6d4f24a9 TlsAlloc 12152->12153 12154 6d4f22b3 12152->12154 12154->12122 12155 6d4f2527 12154->12155 12156 6d4f242d ___vcrt_InitializeCriticalSectionEx 5 API calls 12155->12156 12157 6d4f2541 12156->12157 12158 6d4f255c TlsSetValue 12157->12158 12159 6d4f22cc 12157->12159 12158->12159 12159->12125 12160 6d4f22dc 12159->12160 12161 6d4f22e6 12160->12161 12162 6d4f22ec 12160->12162 12164 6d4f24b1 12161->12164 12162->12122 12165 6d4f242d ___vcrt_InitializeCriticalSectionEx 5 API calls 12164->12165 12166 6d4f24cb 12165->12166 12167 6d4f24e3 TlsFree 12166->12167 12168 6d4f24d7 12166->12168 12167->12168 12168->12162 12170 6d4efffc 12169->12170 12171 6d4efff8 12169->12171 12172 6d4f0152 __DllMainCRTStartup@12 4 API calls 12170->12172 12174 6d4f0009 ___scrt_release_startup_lock 12170->12174 12171->12087 12173 6d4f0072 12172->12173 12174->12087 12181 6d4f3bbb 12175->12181 12178 6d4f1eeb 12247 6d4f21d3 12178->12247 12182 6d4eff47 12181->12182 12183 6d4f3bc5 12181->12183 12182->12178 12184 6d4f578f _free 6 API calls 12183->12184 12185 6d4f3bcc 12184->12185 12185->12182 12186 6d4f57ce _free 6 API calls 12185->12186 12187 6d4f3bdf 12186->12187 12189 6d4f3a82 12187->12189 12190 6d4f3a8d 12189->12190 12194 6d4f3a9d 12189->12194 12195 6d4f3aa3 12190->12195 12193 6d4f3f27 _free 14 API calls 12193->12194 12194->12182 12196 6d4f3ab8 12195->12196 12197 6d4f3abe 12195->12197 12198 6d4f3f27 _free 14 API calls 12196->12198 12199 6d4f3f27 _free 14 API calls 12197->12199 12198->12197 12200 6d4f3aca 12199->12200 12201 6d4f3f27 _free 14 API calls 12200->12201 12202 6d4f3ad5 12201->12202 12203 6d4f3f27 _free 14 API calls 12202->12203 12204 6d4f3ae0 12203->12204 12205 6d4f3f27 _free 14 API calls 12204->12205 12206 6d4f3aeb 12205->12206 12207 6d4f3f27 _free 14 API calls 12206->12207 12208 6d4f3af6 12207->12208 12209 6d4f3f27 _free 14 API calls 12208->12209 12210 6d4f3b01 12209->12210 12211 6d4f3f27 _free 14 API calls 12210->12211 12212 6d4f3b0c 12211->12212 12213 6d4f3f27 _free 14 API calls 12212->12213 12214 6d4f3b17 12213->12214 12215 6d4f3f27 _free 14 API calls 12214->12215 12216 6d4f3b25 12215->12216 12221 6d4f38cf 12216->12221 12222 6d4f38db ___scrt_is_nonwritable_in_current_image 12221->12222 12237 6d4f3e7a EnterCriticalSection 12222->12237 12224 6d4f390f 12238 6d4f392e 12224->12238 12226 6d4f38e5 12226->12224 12228 6d4f3f27 _free 14 API calls 12226->12228 12228->12224 12229 6d4f393a 12230 6d4f3946 ___scrt_is_nonwritable_in_current_image 12229->12230 12242 6d4f3e7a EnterCriticalSection 12230->12242 12232 6d4f3950 12233 6d4f3b70 _free 14 API calls 12232->12233 12234 6d4f3963 12233->12234 12243 6d4f3983 12234->12243 12237->12226 12241 6d4f3ec2 LeaveCriticalSection 12238->12241 12240 6d4f391c 12240->12229 12241->12240 12242->12232 12246 6d4f3ec2 LeaveCriticalSection 12243->12246 12245 6d4f3971 12245->12193 12246->12245 12248 6d4eff4c 12247->12248 12249 6d4f21e0 12247->12249 12248->12022 12250 6d4f21ee 12249->12250 12255 6d4f24ec 12249->12255 12252 6d4f2527 ___vcrt_FlsSetValue 6 API calls 12250->12252 12253 6d4f21fe 12252->12253 12260 6d4f21b7 12253->12260 12256 6d4f242d ___vcrt_InitializeCriticalSectionEx 5 API calls 12255->12256 12257 6d4f2506 12256->12257 12258 6d4f251e TlsGetValue 12257->12258 12259 6d4f2512 12257->12259 12258->12259 12259->12250 12261 6d4f21ce 12260->12261 12262 6d4f21c1 12260->12262 12261->12248 12262->12261 12264 6d4f297e 12262->12264 12265 6d4f3f27 _free 14 API calls 12264->12265 12266 6d4f2996 12265->12266 12266->12261 12273 6d4f2217 12267->12273 12269 6d4eff28 12269->12049 12270 6d4f35e0 12269->12270 12271 6d4f3d3e _free 14 API calls 12270->12271 12272 6d4eff34 12271->12272 12272->12046 12272->12048 12274 6d4f2223 GetLastError 12273->12274 12275 6d4f2220 12273->12275 12276 6d4f24ec ___vcrt_FlsGetValue 6 API calls 12274->12276 12275->12269 12277 6d4f2238 12276->12277 12278 6d4f229d SetLastError 12277->12278 12279 6d4f2527 ___vcrt_FlsSetValue 6 API calls 12277->12279 12286 6d4f2257 12277->12286 12278->12269 12280 6d4f2251 12279->12280 12281 6d4f2527 ___vcrt_FlsSetValue 6 API calls 12280->12281 12283 6d4f2279 12280->12283 12280->12286 12281->12283 12282 6d4f2527 ___vcrt_FlsSetValue 6 API calls 12284 6d4f228d 12282->12284 12283->12282 12283->12284 12285 6d4f297e ___std_type_info_destroy_list 14 API calls 12284->12285 12285->12286 12286->12278 12288 6d4eff88 ___scrt_release_startup_lock 12287->12288 12289 6d4eff8c 12288->12289 12292 6d4eff98 __DllMainCRTStartup@12 12288->12292 12312 6d4f345b 12289->12312 12293 6d4effa5 12292->12293 12315 6d4f2cbe 12292->12315 12293->12057 12382 6d4f1e9e InterlockedFlushSList 12296->12382 12300 6d4f0130 12299->12300 12301 6d4efa84 12300->12301 12386 6d4f35f3 12300->12386 12305 6d4efac0 12301->12305 12303 6d4f013e 12304 6d4f1ef6 ___scrt_uninitialize_crt 7 API calls 12303->12304 12304->12301 12499 6d4effa6 12305->12499 12309 6d4cefcb 12308->12309 12516 6d4ef850 12309->12516 12311 6d4cfe2e 12311->12071 12311->12073 12326 6d4f3326 12312->12326 12316 6d4f2ccc 12315->12316 12324 6d4f2cdd 12315->12324 12343 6d4f2d64 GetModuleHandleW 12316->12343 12321 6d4f2d17 12321->12057 12350 6d4f2b84 12324->12350 12327 6d4f3332 ___scrt_is_nonwritable_in_current_image 12326->12327 12334 6d4f3e7a EnterCriticalSection 12327->12334 12329 6d4f3340 12335 6d4f3381 12329->12335 12334->12329 12336 6d4f334d 12335->12336 12337 6d4f33a0 12335->12337 12339 6d4f3375 12336->12339 12337->12336 12338 6d4f3f27 _free 14 API calls 12337->12338 12338->12336 12342 6d4f3ec2 LeaveCriticalSection 12339->12342 12341 6d4eff96 12341->12057 12342->12341 12344 6d4f2cd1 12343->12344 12344->12324 12345 6d4f2da7 GetModuleHandleExW 12344->12345 12346 6d4f2dc6 GetProcAddress 12345->12346 12349 6d4f2ddb 12345->12349 12346->12349 12347 6d4f2def FreeLibrary 12348 6d4f2df8 12347->12348 12348->12324 12349->12347 12349->12348 12351 6d4f2b90 ___scrt_is_nonwritable_in_current_image 12350->12351 12366 6d4f3e7a EnterCriticalSection 12351->12366 12353 6d4f2b9a 12367 6d4f2bd1 12353->12367 12355 6d4f2ba7 12371 6d4f2bc5 12355->12371 12358 6d4f2d22 12375 6d4f3f61 GetPEB 12358->12375 12361 6d4f2d51 12364 6d4f2da7 __DllMainCRTStartup@12 3 API calls 12361->12364 12362 6d4f2d31 GetPEB 12362->12361 12363 6d4f2d41 GetCurrentProcess TerminateProcess 12362->12363 12363->12361 12365 6d4f2d59 ExitProcess 12364->12365 12366->12353 12368 6d4f2bdd ___scrt_is_nonwritable_in_current_image 12367->12368 12369 6d4f2c3e __DllMainCRTStartup@12 12368->12369 12370 6d4f345b __DllMainCRTStartup@12 14 API calls 12368->12370 12369->12355 12370->12369 12374 6d4f3ec2 LeaveCriticalSection 12371->12374 12373 6d4f2bb3 12373->12321 12373->12358 12374->12373 12376 6d4f3f7b 12375->12376 12377 6d4f2d2c 12375->12377 12379 6d4f56b2 12376->12379 12377->12361 12377->12362 12380 6d4f562f _free 5 API calls 12379->12380 12381 6d4f56ce 12380->12381 12381->12377 12384 6d4f1eae 12382->12384 12385 6d4efe49 12382->12385 12383 6d4f297e ___std_type_info_destroy_list 14 API calls 12383->12384 12384->12383 12384->12385 12385->12060 12387 6d4f35fe 12386->12387 12388 6d4f3610 ___scrt_uninitialize_crt 12386->12388 12389 6d4f360c 12387->12389 12391 6d4f61dd 12387->12391 12388->12303 12389->12303 12394 6d4f608b 12391->12394 12397 6d4f5fdf 12394->12397 12398 6d4f5feb ___scrt_is_nonwritable_in_current_image 12397->12398 12405 6d4f3e7a EnterCriticalSection 12398->12405 12400 6d4f6061 12414 6d4f607f 12400->12414 12404 6d4f5ff5 ___scrt_uninitialize_crt 12404->12400 12406 6d4f5f53 12404->12406 12405->12404 12407 6d4f5f5f ___scrt_is_nonwritable_in_current_image 12406->12407 12417 6d4f62fa EnterCriticalSection 12407->12417 12409 6d4f5fa2 12428 6d4f5fd3 12409->12428 12410 6d4f5f69 ___scrt_uninitialize_crt 12410->12409 12418 6d4f6195 12410->12418 12498 6d4f3ec2 LeaveCriticalSection 12414->12498 12416 6d4f606d 12416->12389 12417->12410 12419 6d4f61ab 12418->12419 12420 6d4f61a2 12418->12420 12431 6d4f6130 12419->12431 12421 6d4f608b ___scrt_uninitialize_crt 66 API calls 12420->12421 12424 6d4f61a8 12421->12424 12424->12409 12426 6d4f61c7 12444 6d4f77b2 12426->12444 12497 6d4f630e LeaveCriticalSection 12428->12497 12430 6d4f5fc1 12430->12404 12432 6d4f616d 12431->12432 12433 6d4f6148 12431->12433 12432->12424 12437 6d4f64d8 12432->12437 12433->12432 12434 6d4f64d8 ___scrt_uninitialize_crt 25 API calls 12433->12434 12435 6d4f6166 12434->12435 12455 6d4f7fad 12435->12455 12438 6d4f64f9 12437->12438 12439 6d4f64e4 12437->12439 12438->12426 12440 6d4f400b _free 14 API calls 12439->12440 12441 6d4f64e9 12440->12441 12480 6d4f27e8 12441->12480 12445 6d4f77c3 12444->12445 12448 6d4f77d0 12444->12448 12446 6d4f400b _free 14 API calls 12445->12446 12454 6d4f77c8 12446->12454 12447 6d4f7819 12449 6d4f400b _free 14 API calls 12447->12449 12448->12447 12451 6d4f77f7 12448->12451 12450 6d4f781e 12449->12450 12452 6d4f27e8 ___std_exception_copy 25 API calls 12450->12452 12483 6d4f7710 12451->12483 12452->12454 12454->12424 12456 6d4f7fb9 ___scrt_is_nonwritable_in_current_image 12455->12456 12457 6d4f7fc1 12456->12457 12460 6d4f7fd9 12456->12460 12458 6d4f3ff8 __dosmaperr 14 API calls 12457->12458 12461 6d4f7fc6 12458->12461 12459 6d4f8074 12462 6d4f3ff8 __dosmaperr 14 API calls 12459->12462 12460->12459 12464 6d4f800b 12460->12464 12465 6d4f400b _free 14 API calls 12461->12465 12463 6d4f8079 12462->12463 12466 6d4f400b _free 14 API calls 12463->12466 12467 6d4f75cf ___scrt_uninitialize_crt EnterCriticalSection 12464->12467 12479 6d4f7fce 12465->12479 12468 6d4f8081 12466->12468 12469 6d4f8011 12467->12469 12470 6d4f27e8 ___std_exception_copy 25 API calls 12468->12470 12471 6d4f802d 12469->12471 12472 6d4f8042 12469->12472 12470->12479 12473 6d4f400b _free 14 API calls 12471->12473 12474 6d4f809f ___scrt_uninitialize_crt 60 API calls 12472->12474 12475 6d4f8032 12473->12475 12476 6d4f803d 12474->12476 12477 6d4f3ff8 __dosmaperr 14 API calls 12475->12477 12478 6d4f806c ___scrt_uninitialize_crt LeaveCriticalSection 12476->12478 12477->12476 12478->12479 12479->12432 12481 6d4f2784 ___std_exception_copy 25 API calls 12480->12481 12482 6d4f27f4 12481->12482 12482->12426 12484 6d4f771c ___scrt_is_nonwritable_in_current_image 12483->12484 12485 6d4f75cf ___scrt_uninitialize_crt EnterCriticalSection 12484->12485 12486 6d4f772b 12485->12486 12487 6d4f7772 12486->12487 12488 6d4f76a6 ___scrt_uninitialize_crt 25 API calls 12486->12488 12489 6d4f400b _free 14 API calls 12487->12489 12490 6d4f7757 FlushFileBuffers 12488->12490 12491 6d4f7777 12489->12491 12490->12491 12492 6d4f7763 12490->12492 12494 6d4f77a6 ___scrt_uninitialize_crt LeaveCriticalSection 12491->12494 12493 6d4f3ff8 __dosmaperr 14 API calls 12492->12493 12495 6d4f7768 GetLastError 12493->12495 12496 6d4f778f 12494->12496 12495->12487 12496->12454 12497->12430 12498->12416 12504 6d4f3623 12499->12504 12502 6d4f22dc ___vcrt_uninitialize_ptd 6 API calls 12503 6d4efac5 12502->12503 12503->12051 12507 6d4f3e1f 12504->12507 12508 6d4f3e29 12507->12508 12509 6d4effad 12507->12509 12511 6d4f5750 12508->12511 12509->12502 12512 6d4f562f _free 5 API calls 12511->12512 12513 6d4f576c 12512->12513 12514 6d4f5787 TlsFree 12513->12514 12515 6d4f5775 12513->12515 12515->12509 12517 6d4ef858 12516->12517 12518 6d4ef859 IsProcessorFeaturePresent 12516->12518 12517->12311 12520 6d4efc64 12518->12520 12523 6d4efc27 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 12520->12523 12522 6d4efd47 12522->12311 12523->12522 12524 6d4efc04 12525 6d4efc0d 12524->12525 12526 6d4efc12 12524->12526 12545 6d4efde8 12525->12545 12530 6d4eface 12526->12530 12531 6d4efada ___scrt_is_nonwritable_in_current_image 12530->12531 12532 6d4efb03 dllmain_raw 12531->12532 12533 6d4efafe 12531->12533 12541 6d4efae9 12531->12541 12534 6d4efb1d dllmain_crt_dispatch 12532->12534 12532->12541 12535 6d4cefa0 __DllMainCRTStartup@12 5 API calls 12533->12535 12534->12533 12534->12541 12536 6d4efb3e 12535->12536 12537 6d4efb6f 12536->12537 12540 6d4cefa0 __DllMainCRTStartup@12 5 API calls 12536->12540 12538 6d4efb78 dllmain_crt_dispatch 12537->12538 12537->12541 12539 6d4efb8b dllmain_raw 12538->12539 12538->12541 12539->12541 12542 6d4efb56 12540->12542 12543 6d4efa1e __DllMainCRTStartup@12 84 API calls 12542->12543 12544 6d4efb64 dllmain_raw 12543->12544 12544->12537 12546 6d4efdfe 12545->12546 12548 6d4efe07 12546->12548 12549 6d4efd9b GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 12546->12549 12548->12526 12549->12548 12699 6d4f1fc3 12700 6d4f1ffc 12699->12700 12701 6d4f1fcc 12699->12701 12701->12700 12708 6d4f2209 12701->12708 12704 6d4f2209 47 API calls 12705 6d4f2012 12704->12705 12722 6d4f3635 12705->12722 12709 6d4f2217 23 API calls 12708->12709 12710 6d4f220e 12709->12710 12711 6d4f2007 12710->12711 12728 6d4f5cc2 12710->12728 12711->12704 12715 6d4f36e5 IsProcessorFeaturePresent 12718 6d4f36f1 12715->12718 12717 6d4f36db 12717->12715 12721 6d4f3704 12717->12721 12720 6d4f263c ___std_exception_copy 8 API calls 12718->12720 12720->12721 12758 6d4f2e18 12721->12758 12723 6d4f3641 ___scrt_is_nonwritable_in_current_image 12722->12723 12724 6d4f3be7 __fassign 37 API calls 12723->12724 12725 6d4f3646 12724->12725 12726 6d4f36cb __fassign 37 API calls 12725->12726 12727 6d4f3670 12726->12727 12761 6d4f5bf4 12728->12761 12731 6d4f5d07 12732 6d4f5d13 ___scrt_is_nonwritable_in_current_image 12731->12732 12733 6d4f5d3a __fassign 12732->12733 12734 6d4f3d3e _free 14 API calls 12732->12734 12737 6d4f5d40 __fassign 12732->12737 12735 6d4f5d87 12733->12735 12733->12737 12757 6d4f5d71 12733->12757 12734->12733 12736 6d4f400b _free 14 API calls 12735->12736 12738 6d4f5d8c 12736->12738 12739 6d4f5db3 12737->12739 12772 6d4f3e7a EnterCriticalSection 12737->12772 12740 6d4f27e8 ___std_exception_copy 25 API calls 12738->12740 12743 6d4f5ee6 12739->12743 12744 6d4f5df5 12739->12744 12754 6d4f5e24 12739->12754 12740->12757 12746 6d4f5ef1 12743->12746 12804 6d4f3ec2 LeaveCriticalSection 12743->12804 12744->12754 12773 6d4f3be7 GetLastError 12744->12773 12747 6d4f2e18 __fassign 23 API calls 12746->12747 12749 6d4f5ef9 12747->12749 12749->12717 12751 6d4f3be7 __fassign 37 API calls 12755 6d4f5e79 12751->12755 12753 6d4f3be7 __fassign 37 API calls 12753->12754 12800 6d4f5e93 12754->12800 12756 6d4f3be7 __fassign 37 API calls 12755->12756 12755->12757 12756->12757 12757->12717 12759 6d4f2cbe __DllMainCRTStartup@12 23 API calls 12758->12759 12760 6d4f2e29 12759->12760 12762 6d4f5c00 ___scrt_is_nonwritable_in_current_image 12761->12762 12767 6d4f3e7a EnterCriticalSection 12762->12767 12764 6d4f5c0e 12768 6d4f5c4c 12764->12768 12767->12764 12771 6d4f3ec2 LeaveCriticalSection 12768->12771 12770 6d4f36d0 12770->12717 12770->12731 12771->12770 12772->12739 12774 6d4f3bfe 12773->12774 12775 6d4f3c04 12773->12775 12777 6d4f578f _free 6 API calls 12774->12777 12776 6d4f57ce _free 6 API calls 12775->12776 12797 6d4f3c0a SetLastError 12775->12797 12778 6d4f3c22 12776->12778 12777->12775 12779 6d4f401e _free 14 API calls 12778->12779 12778->12797 12781 6d4f3c32 12779->12781 12782 6d4f3c3a 12781->12782 12783 6d4f3c51 12781->12783 12788 6d4f57ce _free 6 API calls 12782->12788 12787 6d4f57ce _free 6 API calls 12783->12787 12784 6d4f3c9e 12805 6d4f36cb 12784->12805 12785 6d4f3c98 12785->12753 12790 6d4f3c5d 12787->12790 12791 6d4f3c48 12788->12791 12792 6d4f3c72 12790->12792 12793 6d4f3c61 12790->12793 12796 6d4f3f27 _free 14 API calls 12791->12796 12795 6d4f39e9 _free 14 API calls 12792->12795 12794 6d4f57ce _free 6 API calls 12793->12794 12794->12791 12798 6d4f3c7d 12795->12798 12796->12797 12797->12784 12797->12785 12799 6d4f3f27 _free 14 API calls 12798->12799 12799->12797 12801 6d4f5e99 12800->12801 12803 6d4f5e6a 12800->12803 12816 6d4f3ec2 LeaveCriticalSection 12801->12816 12803->12751 12803->12755 12803->12757 12804->12746 12806 6d4f5cc2 __fassign 2 API calls 12805->12806 12807 6d4f36d0 12806->12807 12808 6d4f36db 12807->12808 12809 6d4f5d07 __fassign 36 API calls 12807->12809 12810 6d4f36e5 IsProcessorFeaturePresent 12808->12810 12815 6d4f3704 12808->12815 12809->12808 12812 6d4f36f1 12810->12812 12811 6d4f2e18 __fassign 23 API calls 12813 6d4f370e 12811->12813 12814 6d4f263c ___std_exception_copy 8 API calls 12812->12814 12814->12815 12815->12811 12816->12803 12817 6d4cff80 12818 6d4cffdb 12817->12818 12819 6d4d8910 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 12818->12819 12820 6d4d7e70 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 12818->12820 12821 6d4d0b2c 12818->12821 12824 6d4d8520 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 12818->12824 12825 6d4d8db0 26 API calls 12818->12825 12819->12818 12820->12818 12822 6d4ef850 _ValidateLocalCookies 5 API calls 12821->12822 12823 6d4d0b3c 12822->12823 12824->12818 12825->12818 12826 6d4d1280 12830 6d4d12a5 12826->12830 12827 6d4d1560 12828 6d4ef850 _ValidateLocalCookies 5 API calls 12827->12828 12829 6d4d1575 12828->12829 12830->12827 12831 6d4ed6e0 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 12830->12831 12831->12830 12832 6d4f1d40 12833 6d4f1d5e 12832->12833 12844 6d4f1d00 12833->12844 12845 6d4f1d1f 12844->12845 12846 6d4f1d12 12844->12846 12847 6d4ef850 _ValidateLocalCookies 5 API calls 12846->12847 12847->12845 12848 6d4f20c0 12849 6d4f20d2 12848->12849 12851 6d4f20e0 12848->12851 12850 6d4ef850 _ValidateLocalCookies 5 API calls 12849->12850 12850->12851 11781 6d4f401e 11786 6d4f402b _free 11781->11786 11782 6d4f406b 11791 6d4f400b 11782->11791 11783 6d4f4056 RtlAllocateHeap 11784 6d4f4069 11783->11784 11783->11786 11786->11782 11786->11783 11788 6d4f28ea 11786->11788 11794 6d4f2917 11788->11794 11805 6d4f3d3e GetLastError 11791->11805 11793 6d4f4010 11793->11784 11795 6d4f2923 ___scrt_is_nonwritable_in_current_image 11794->11795 11800 6d4f3e7a EnterCriticalSection 11795->11800 11797 6d4f292e 11801 6d4f296a 11797->11801 11800->11797 11804 6d4f3ec2 LeaveCriticalSection 11801->11804 11803 6d4f28f5 11803->11786 11804->11803 11806 6d4f3d55 11805->11806 11807 6d4f3d5b 11805->11807 11828 6d4f578f 11806->11828 11826 6d4f3d61 SetLastError 11807->11826 11833 6d4f57ce 11807->11833 11814 6d4f3da8 11817 6d4f57ce _free 6 API calls 11814->11817 11815 6d4f3d91 11816 6d4f57ce _free 6 API calls 11815->11816 11824 6d4f3d9f 11816->11824 11818 6d4f3db4 11817->11818 11819 6d4f3dc9 11818->11819 11820 6d4f3db8 11818->11820 11851 6d4f39e9 11819->11851 11821 6d4f57ce _free 6 API calls 11820->11821 11821->11824 11845 6d4f3f27 11824->11845 11826->11793 11827 6d4f3f27 _free 12 API calls 11827->11826 11856 6d4f562f 11828->11856 11830 6d4f57ab 11831 6d4f57c6 TlsGetValue 11830->11831 11832 6d4f57b4 11830->11832 11832->11807 11834 6d4f562f _free 5 API calls 11833->11834 11835 6d4f57ea 11834->11835 11836 6d4f5808 TlsSetValue 11835->11836 11837 6d4f3d79 11835->11837 11837->11826 11838 6d4f401e 11837->11838 11843 6d4f402b _free 11838->11843 11839 6d4f406b 11842 6d4f400b _free 13 API calls 11839->11842 11840 6d4f4056 RtlAllocateHeap 11841 6d4f3d89 11840->11841 11840->11843 11841->11814 11841->11815 11842->11841 11843->11839 11843->11840 11844 6d4f28ea _free 2 API calls 11843->11844 11844->11843 11846 6d4f3f5b _free 11845->11846 11847 6d4f3f32 HeapFree 11845->11847 11846->11826 11847->11846 11848 6d4f3f47 11847->11848 11849 6d4f400b _free 12 API calls 11848->11849 11850 6d4f3f4d GetLastError 11849->11850 11850->11846 11869 6d4f387d 11851->11869 11857 6d4f565d 11856->11857 11861 6d4f5659 _free 11856->11861 11857->11861 11862 6d4f5568 11857->11862 11860 6d4f5677 GetProcAddress 11860->11861 11861->11830 11867 6d4f5579 ___vcrt_InitializeCriticalSectionEx 11862->11867 11863 6d4f5624 11863->11860 11863->11861 11864 6d4f5597 LoadLibraryExW 11865 6d4f55b2 GetLastError 11864->11865 11864->11867 11865->11867 11866 6d4f560d FreeLibrary 11866->11867 11867->11863 11867->11864 11867->11866 11868 6d4f55e5 LoadLibraryExW 11867->11868 11868->11867 11870 6d4f3889 ___scrt_is_nonwritable_in_current_image 11869->11870 11883 6d4f3e7a EnterCriticalSection 11870->11883 11872 6d4f3893 11884 6d4f38c3 11872->11884 11875 6d4f398f 11876 6d4f399b ___scrt_is_nonwritable_in_current_image 11875->11876 11888 6d4f3e7a EnterCriticalSection 11876->11888 11878 6d4f39a5 11889 6d4f3b70 11878->11889 11880 6d4f39bd 11893 6d4f39dd 11880->11893 11883->11872 11887 6d4f3ec2 LeaveCriticalSection 11884->11887 11886 6d4f38b1 11886->11875 11887->11886 11888->11878 11890 6d4f3ba6 _free 11889->11890 11891 6d4f3b7f _free 11889->11891 11890->11880 11891->11890 11896 6d4f6640 11891->11896 12010 6d4f3ec2 LeaveCriticalSection 11893->12010 11895 6d4f39cb 11895->11827 11897 6d4f66c0 11896->11897 11900 6d4f6656 11896->11900 11899 6d4f3f27 _free 14 API calls 11897->11899 11922 6d4f670e 11897->11922 11901 6d4f66e2 11899->11901 11900->11897 11903 6d4f3f27 _free 14 API calls 11900->11903 11905 6d4f6689 11900->11905 11902 6d4f3f27 _free 14 API calls 11901->11902 11904 6d4f66f5 11902->11904 11909 6d4f667e 11903->11909 11910 6d4f3f27 _free 14 API calls 11904->11910 11911 6d4f3f27 _free 14 API calls 11905->11911 11923 6d4f66ab 11905->11923 11906 6d4f3f27 _free 14 API calls 11912 6d4f66b5 11906->11912 11907 6d4f677c 11913 6d4f3f27 _free 14 API calls 11907->11913 11908 6d4f671c 11908->11907 11921 6d4f3f27 14 API calls _free 11908->11921 11924 6d4f857a 11909->11924 11915 6d4f6703 11910->11915 11916 6d4f66a0 11911->11916 11917 6d4f3f27 _free 14 API calls 11912->11917 11918 6d4f6782 11913->11918 11919 6d4f3f27 _free 14 API calls 11915->11919 11952 6d4f8678 11916->11952 11917->11897 11918->11890 11919->11922 11921->11908 11964 6d4f67b1 11922->11964 11923->11906 11925 6d4f858b 11924->11925 11951 6d4f8674 11924->11951 11926 6d4f859c 11925->11926 11927 6d4f3f27 _free 14 API calls 11925->11927 11928 6d4f3f27 _free 14 API calls 11926->11928 11931 6d4f85ae 11926->11931 11927->11926 11928->11931 11929 6d4f3f27 _free 14 API calls 11932 6d4f85c0 11929->11932 11930 6d4f85d2 11934 6d4f85e4 11930->11934 11935 6d4f3f27 _free 14 API calls 11930->11935 11931->11929 11931->11932 11932->11930 11933 6d4f3f27 _free 14 API calls 11932->11933 11933->11930 11936 6d4f85f6 11934->11936 11937 6d4f3f27 _free 14 API calls 11934->11937 11935->11934 11938 6d4f8608 11936->11938 11939 6d4f3f27 _free 14 API calls 11936->11939 11937->11936 11940 6d4f861a 11938->11940 11941 6d4f3f27 _free 14 API calls 11938->11941 11939->11938 11942 6d4f862c 11940->11942 11943 6d4f3f27 _free 14 API calls 11940->11943 11941->11940 11944 6d4f863e 11942->11944 11945 6d4f3f27 _free 14 API calls 11942->11945 11943->11942 11946 6d4f8650 11944->11946 11947 6d4f3f27 _free 14 API calls 11944->11947 11945->11944 11948 6d4f8662 11946->11948 11949 6d4f3f27 _free 14 API calls 11946->11949 11947->11946 11950 6d4f3f27 _free 14 API calls 11948->11950 11948->11951 11949->11948 11950->11951 11951->11905 11953 6d4f8685 11952->11953 11963 6d4f86dd 11952->11963 11954 6d4f8695 11953->11954 11955 6d4f3f27 _free 14 API calls 11953->11955 11956 6d4f86a7 11954->11956 11957 6d4f3f27 _free 14 API calls 11954->11957 11955->11954 11958 6d4f86b9 11956->11958 11959 6d4f3f27 _free 14 API calls 11956->11959 11957->11956 11960 6d4f86cb 11958->11960 11961 6d4f3f27 _free 14 API calls 11958->11961 11959->11958 11962 6d4f3f27 _free 14 API calls 11960->11962 11960->11963 11961->11960 11962->11963 11963->11923 11965 6d4f67be 11964->11965 11969 6d4f67dd 11964->11969 11965->11969 11970 6d4f8719 11965->11970 11968 6d4f3f27 _free 14 API calls 11968->11969 11969->11908 11971 6d4f67d7 11970->11971 11972 6d4f872a 11970->11972 11971->11968 12006 6d4f86e1 11972->12006 11975 6d4f86e1 _free 14 API calls 11976 6d4f873d 11975->11976 11977 6d4f86e1 _free 14 API calls 11976->11977 11978 6d4f8748 11977->11978 11979 6d4f86e1 _free 14 API calls 11978->11979 11980 6d4f8753 11979->11980 11981 6d4f86e1 _free 14 API calls 11980->11981 11982 6d4f8761 11981->11982 11983 6d4f3f27 _free 14 API calls 11982->11983 11984 6d4f876c 11983->11984 11985 6d4f3f27 _free 14 API calls 11984->11985 11986 6d4f8777 11985->11986 11987 6d4f3f27 _free 14 API calls 11986->11987 11988 6d4f8782 11987->11988 11989 6d4f86e1 _free 14 API calls 11988->11989 11990 6d4f8790 11989->11990 11991 6d4f86e1 _free 14 API calls 11990->11991 11992 6d4f879e 11991->11992 11993 6d4f86e1 _free 14 API calls 11992->11993 11994 6d4f87af 11993->11994 11995 6d4f86e1 _free 14 API calls 11994->11995 11996 6d4f87bd 11995->11996 11997 6d4f86e1 _free 14 API calls 11996->11997 11998 6d4f87cb 11997->11998 11999 6d4f3f27 _free 14 API calls 11998->11999 12000 6d4f87d6 11999->12000 12001 6d4f3f27 _free 14 API calls 12000->12001 12002 6d4f87e1 12001->12002 12003 6d4f3f27 _free 14 API calls 12002->12003 12004 6d4f87ec 12003->12004 12005 6d4f3f27 _free 14 API calls 12004->12005 12005->11971 12007 6d4f8714 12006->12007 12008 6d4f8704 12006->12008 12007->11975 12008->12007 12009 6d4f3f27 _free 14 API calls 12008->12009 12009->12008 12010->11895 12852 6d4f481b 12853 6d4f482d 12852->12853 12854 6d4f4829 12852->12854 12855 6d4f4858 12853->12855 12856 6d4f4832 12853->12856 12855->12854 12863 6d4f54ad 12855->12863 12857 6d4f401e _free 14 API calls 12856->12857 12858 6d4f483b 12857->12858 12860 6d4f3f27 _free 14 API calls 12858->12860 12860->12854 12861 6d4f4878 12862 6d4f3f27 _free 14 API calls 12861->12862 12862->12854 12864 6d4f54ba 12863->12864 12865 6d4f54d5 12863->12865 12864->12865 12867 6d4f54c6 12864->12867 12866 6d4f54e4 12865->12866 12872 6d4f7369 12865->12872 12879 6d4f739c 12866->12879 12869 6d4f400b _free 14 API calls 12867->12869 12871 6d4f54cb std::bad_exception::bad_exception 12869->12871 12871->12861 12873 6d4f7389 HeapSize 12872->12873 12874 6d4f7374 12872->12874 12873->12866 12875 6d4f400b _free 14 API calls 12874->12875 12876 6d4f7379 12875->12876 12877 6d4f27e8 ___std_exception_copy 25 API calls 12876->12877 12878 6d4f7384 12877->12878 12878->12866 12880 6d4f73a9 12879->12880 12881 6d4f73b4 12879->12881 12891 6d4f3ed9 12880->12891 12883 6d4f73bc 12881->12883 12889 6d4f73c5 _free 12881->12889 12884 6d4f3f27 _free 14 API calls 12883->12884 12887 6d4f73b1 12884->12887 12885 6d4f73ef HeapReAlloc 12885->12887 12885->12889 12886 6d4f73ca 12888 6d4f400b _free 14 API calls 12886->12888 12887->12871 12888->12887 12889->12885 12889->12886 12890 6d4f28ea _free 2 API calls 12889->12890 12890->12889 12892 6d4f3f17 12891->12892 12893 6d4f3ee7 _free 12891->12893 12894 6d4f400b _free 14 API calls 12892->12894 12893->12892 12895 6d4f3f02 HeapAlloc 12893->12895 12897 6d4f28ea _free 2 API calls 12893->12897 12896 6d4f3f15 12894->12896 12895->12893 12895->12896 12896->12887 12897->12893 12898 6d4f351a 12901 6d4f35a0 12898->12901 12902 6d4f352d 12901->12902 12903 6d4f35b4 12901->12903 12903->12902 12904 6d4f3f27 _free 14 API calls 12903->12904 12904->12902 12905 6d4f0558 12908 6d4e88a0 12905->12908 12913 6d4e88fa std::bad_exception::bad_exception 12908->12913 12909 6d4e8b8c 12910 6d4ef850 _ValidateLocalCookies 5 API calls 12909->12910 12911 6d4e8b9c 12910->12911 12912 6d4f0d6c 25 API calls ___std_exception_copy 12912->12913 12913->12909 12913->12912 12914 6d4f5914 12915 6d4f5945 12914->12915 12917 6d4f591f 12914->12917 12916 6d4f592f FreeLibrary 12916->12917 12917->12915 12917->12916 12918 6d4f0592 12919 6d4e88a0 std::bad_exception::bad_exception 25 API calls 12918->12919 12920 6d4f05a0 12919->12920 12921 6d4e9510 12924 6d4e956b 12921->12924 12922 6d4ef850 _ValidateLocalCookies 5 API calls 12923 6d4e9cf0 12922->12923 12924->12922 12925 6d4f5711 12926 6d4f562f _free 5 API calls 12925->12926 12927 6d4f572d 12926->12927 12928 6d4f5745 TlsAlloc 12927->12928 12929 6d4f5736 12927->12929 12928->12929 12930 6d4f5429 GetEnvironmentStringsW 12931 6d4f5440 12930->12931 12941 6d4f5496 12930->12941 12942 6d4f533b 12931->12942 12932 6d4f549f FreeEnvironmentStringsW 12933 6d4f54a6 12932->12933 12935 6d4f5459 12936 6d4f3ed9 15 API calls 12935->12936 12935->12941 12937 6d4f5469 12936->12937 12938 6d4f533b ___scrt_uninitialize_crt WideCharToMultiByte 12937->12938 12939 6d4f5481 12937->12939 12938->12939 12940 6d4f3f27 _free 14 API calls 12939->12940 12940->12941 12941->12932 12941->12933 12944 6d4f5352 WideCharToMultiByte 12942->12944 12944->12935 12945 6d4f5965 GetStartupInfoW 12946 6d4f5a16 12945->12946 12947 6d4f5982 12945->12947 12947->12946 12951 6d4f7531 12947->12951 12949 6d4f59aa 12949->12946 12950 6d4f59da GetFileType 12949->12950 12950->12949 12952 6d4f753d ___scrt_is_nonwritable_in_current_image 12951->12952 12953 6d4f7567 12952->12953 12954 6d4f7546 12952->12954 12964 6d4f3e7a EnterCriticalSection 12953->12964 12955 6d4f400b _free 14 API calls 12954->12955 12957 6d4f754b 12955->12957 12959 6d4f27e8 ___std_exception_copy 25 API calls 12957->12959 12958 6d4f7573 12963 6d4f759f 12958->12963 12965 6d4f7481 12958->12965 12960 6d4f7555 12959->12960 12960->12949 12972 6d4f75c6 12963->12972 12964->12958 12966 6d4f401e _free 14 API calls 12965->12966 12969 6d4f7493 12966->12969 12967 6d4f74a0 12968 6d4f3f27 _free 14 API calls 12967->12968 12970 6d4f74f5 12968->12970 12969->12967 12975 6d4f5810 12969->12975 12970->12958 12980 6d4f3ec2 LeaveCriticalSection 12972->12980 12974 6d4f75cd 12974->12960 12976 6d4f562f _free 5 API calls 12975->12976 12977 6d4f582c 12976->12977 12978 6d4f584a InitializeCriticalSectionAndSpinCount 12977->12978 12979 6d4f5835 12977->12979 12978->12979 12979->12969 12980->12974 12981 6d4d0de0 12983 6d4d0df2 12981->12983 12982 6d4d1231 12983->12982 12984 6d4d15b0 25 API calls 12983->12984 12984->12983 12985 6d4f6f60 12988 6d4f6f77 12985->12988 12987 6d4f6f72 12989 6d4f6f99 12988->12989 12990 6d4f6f85 12988->12990 12992 6d4f6fb3 12989->12992 12993 6d4f6fa1 12989->12993 12991 6d4f400b _free 14 API calls 12990->12991 12994 6d4f6f8a 12991->12994 13001 6d4f6fb1 12992->13001 13002 6d4f370f 12992->13002 12995 6d4f400b _free 14 API calls 12993->12995 12997 6d4f27e8 ___std_exception_copy 25 API calls 12994->12997 12998 6d4f6fa6 12995->12998 12999 6d4f6f95 12997->12999 13000 6d4f27e8 ___std_exception_copy 25 API calls 12998->13000 12999->12987 13000->13001 13001->12987 13003 6d4f372f 13002->13003 13004 6d4f3be7 __fassign 37 API calls 13003->13004 13005 6d4f374f 13004->13005 13009 6d4f647e 13005->13009 13010 6d4f6491 13009->13010 13012 6d4f3765 13009->13012 13010->13012 13017 6d4f688c 13010->13017 13013 6d4f64ab 13012->13013 13014 6d4f64be 13013->13014 13015 6d4f64d3 13013->13015 13014->13015 13039 6d4f4fb0 13014->13039 13018 6d4f6898 ___scrt_is_nonwritable_in_current_image 13017->13018 13019 6d4f3be7 __fassign 37 API calls 13018->13019 13020 6d4f68a1 13019->13020 13027 6d4f68e7 13020->13027 13030 6d4f3e7a EnterCriticalSection 13020->13030 13022 6d4f68bf 13031 6d4f690d 13022->13031 13027->13012 13028 6d4f36cb __fassign 37 API calls 13029 6d4f690c 13028->13029 13030->13022 13032 6d4f691b _free 13031->13032 13034 6d4f68d0 13031->13034 13033 6d4f6640 _free 14 API calls 13032->13033 13032->13034 13033->13034 13035 6d4f68ec 13034->13035 13038 6d4f3ec2 LeaveCriticalSection 13035->13038 13037 6d4f68e3 13037->13027 13037->13028 13038->13037 13040 6d4f3be7 __fassign 37 API calls 13039->13040 13041 6d4f4fba 13040->13041 13044 6d4f4ec8 13041->13044 13045 6d4f4ed4 ___scrt_is_nonwritable_in_current_image 13044->13045 13053 6d4f4eee 13045->13053 13055 6d4f3e7a EnterCriticalSection 13045->13055 13047 6d4f4f2a 13056 6d4f4f47 13047->13056 13048 6d4f36cb __fassign 37 API calls 13052 6d4f4f67 13048->13052 13049 6d4f4ef5 13049->13015 13050 6d4f4efe 13050->13047 13054 6d4f3f27 _free 14 API calls 13050->13054 13053->13048 13053->13049 13054->13047 13055->13050 13059 6d4f3ec2 LeaveCriticalSection 13056->13059 13058 6d4f4f4e 13058->13053 13059->13058 13060 6d4f05be 13063 6d4f0dcf 13060->13063 13062 6d4f05d3 13064 6d4f0ddc 13063->13064 13066 6d4f0de3 13063->13066 13065 6d4f297e ___std_type_info_destroy_list 14 API calls 13064->13065 13065->13066 13066->13062 13067 6d4f74fc 13068 6d4f7509 13067->13068 13072 6d4f752b 13067->13072 13069 6d4f7517 DeleteCriticalSection 13068->13069 13070 6d4f7525 13068->13070 13069->13069 13069->13070 13071 6d4f3f27 _free 14 API calls 13070->13071 13071->13072 13073 6d4f3e39 13074 6d4f3e44 13073->13074 13075 6d4f5810 6 API calls 13074->13075 13076 6d4f3e6d 13074->13076 13077 6d4f3e69 13074->13077 13075->13074 13079 6d4f3e91 13076->13079 13080 6d4f3ebd 13079->13080 13081 6d4f3e9e 13079->13081 13080->13077 13082 6d4f3ea8 DeleteCriticalSection 13081->13082 13082->13080 13082->13082 13083 6d4f6578 13086 6d4f64ff 13083->13086 13087 6d4f650b ___scrt_is_nonwritable_in_current_image 13086->13087 13094 6d4f3e7a EnterCriticalSection 13087->13094 13089 6d4f6543 13095 6d4f6561 13089->13095 13091 6d4f6515 13091->13089 13093 6d4f690d __fassign 14 API calls 13091->13093 13093->13091 13094->13091 13098 6d4f3ec2 LeaveCriticalSection 13095->13098 13097 6d4f654f 13098->13097 13099 6d4f8937 13100 6d4f8959 13099->13100 13101 6d4f8944 13099->13101 13104 6d4f6130 ___scrt_uninitialize_crt 62 API calls 13100->13104 13106 6d4f8954 13100->13106 13102 6d4f400b _free 14 API calls 13101->13102 13103 6d4f8949 13102->13103 13105 6d4f27e8 ___std_exception_copy 25 API calls 13103->13105 13107 6d4f896e 13104->13107 13105->13106 13115 6d4f8324 13107->13115 13110 6d4f64d8 ___scrt_uninitialize_crt 25 API calls 13111 6d4f897c 13110->13111 13119 6d4f8fa7 13111->13119 13114 6d4f3f27 _free 14 API calls 13114->13106 13116 6d4f833b 13115->13116 13117 6d4f834d 13115->13117 13116->13117 13118 6d4f3f27 _free 14 API calls 13116->13118 13117->13110 13118->13117 13120 6d4f8fcd 13119->13120 13121 6d4f8fb8 13119->13121 13122 6d4f9016 13120->13122 13127 6d4f8ff4 13120->13127 13134 6d4f3ff8 13121->13134 13124 6d4f3ff8 __dosmaperr 14 API calls 13122->13124 13128 6d4f901b 13124->13128 13126 6d4f400b _free 14 API calls 13131 6d4f8982 13126->13131 13137 6d4f8f1b 13127->13137 13130 6d4f400b _free 14 API calls 13128->13130 13132 6d4f9023 13130->13132 13131->13106 13131->13114 13133 6d4f27e8 ___std_exception_copy 25 API calls 13132->13133 13133->13131 13135 6d4f3d3e _free 14 API calls 13134->13135 13136 6d4f3ffd 13135->13136 13136->13126 13138 6d4f8f27 ___scrt_is_nonwritable_in_current_image 13137->13138 13148 6d4f75cf EnterCriticalSection 13138->13148 13140 6d4f8f35 13141 6d4f8f5c 13140->13141 13142 6d4f8f67 13140->13142 13149 6d4f9034 13141->13149 13143 6d4f400b _free 14 API calls 13142->13143 13145 6d4f8f62 13143->13145 13164 6d4f8f9b 13145->13164 13148->13140 13167 6d4f76a6 13149->13167 13151 6d4f904a 13180 6d4f7615 13151->13180 13153 6d4f9044 13153->13151 13156 6d4f76a6 ___scrt_uninitialize_crt 25 API calls 13153->13156 13163 6d4f907c 13153->13163 13154 6d4f76a6 ___scrt_uninitialize_crt 25 API calls 13158 6d4f9088 CloseHandle 13154->13158 13157 6d4f9073 13156->13157 13160 6d4f76a6 ___scrt_uninitialize_crt 25 API calls 13157->13160 13158->13151 13161 6d4f9094 GetLastError 13158->13161 13159 6d4f90c4 13159->13145 13160->13163 13161->13151 13163->13151 13163->13154 13194 6d4f75f2 LeaveCriticalSection 13164->13194 13166 6d4f8f84 13166->13131 13168 6d4f76b3 13167->13168 13169 6d4f76c8 13167->13169 13170 6d4f3ff8 __dosmaperr 14 API calls 13168->13170 13171 6d4f3ff8 __dosmaperr 14 API calls 13169->13171 13173 6d4f76ed 13169->13173 13172 6d4f76b8 13170->13172 13174 6d4f76f8 13171->13174 13175 6d4f400b _free 14 API calls 13172->13175 13173->13153 13176 6d4f400b _free 14 API calls 13174->13176 13177 6d4f76c0 13175->13177 13178 6d4f7700 13176->13178 13177->13153 13179 6d4f27e8 ___std_exception_copy 25 API calls 13178->13179 13179->13177 13181 6d4f768b 13180->13181 13182 6d4f7624 13180->13182 13183 6d4f400b _free 14 API calls 13181->13183 13182->13181 13188 6d4f764e 13182->13188 13184 6d4f7690 13183->13184 13185 6d4f3ff8 __dosmaperr 14 API calls 13184->13185 13186 6d4f767b 13185->13186 13186->13159 13189 6d4f3fd5 13186->13189 13187 6d4f7675 SetStdHandle 13187->13186 13188->13186 13188->13187 13190 6d4f3ff8 __dosmaperr 14 API calls 13189->13190 13191 6d4f3fe0 _free 13190->13191 13192 6d4f400b _free 14 API calls 13191->13192 13193 6d4f3ff3 13192->13193 13193->13159 13194->13166 13195 6d4f2e35 13196 6d4f2e4c 13195->13196 13197 6d4f2e45 13195->13197 13198 6d4f2e6d 13196->13198 13199 6d4f2e57 13196->13199 13219 6d4f4f68 13198->13219 13201 6d4f400b _free 14 API calls 13199->13201 13204 6d4f2e5c 13201->13204 13205 6d4f27e8 ___std_exception_copy 25 API calls 13204->13205 13205->13197 13211 6d4f2edd 13214 6d4f2f6b 37 API calls 13211->13214 13212 6d4f2ed1 13213 6d4f400b _free 14 API calls 13212->13213 13218 6d4f2ed6 13213->13218 13215 6d4f2ef5 13214->13215 13217 6d4f3f27 _free 14 API calls 13215->13217 13215->13218 13216 6d4f3f27 _free 14 API calls 13216->13197 13217->13218 13218->13216 13220 6d4f2e73 13219->13220 13221 6d4f4f71 13219->13221 13225 6d4f49af GetModuleFileNameW 13220->13225 13247 6d4f3ca4 13221->13247 13226 6d4f49ef 13225->13226 13227 6d4f49de GetLastError 13225->13227 13424 6d4f4728 13226->13424 13229 6d4f3fd5 __dosmaperr 14 API calls 13227->13229 13230 6d4f49ea 13229->13230 13233 6d4ef850 _ValidateLocalCookies 5 API calls 13230->13233 13234 6d4f2e86 13233->13234 13235 6d4f2f6b 13234->13235 13237 6d4f2f90 13235->13237 13239 6d4f2ff0 13237->13239 13460 6d4f528e 13237->13460 13238 6d4f2ebb 13241 6d4f30df 13238->13241 13239->13238 13240 6d4f528e 37 API calls 13239->13240 13240->13239 13242 6d4f2ec8 13241->13242 13243 6d4f30f0 13241->13243 13242->13211 13242->13212 13243->13242 13244 6d4f401e _free 14 API calls 13243->13244 13245 6d4f3119 13244->13245 13246 6d4f3f27 _free 14 API calls 13245->13246 13246->13242 13248 6d4f3caf 13247->13248 13249 6d4f3cb5 13247->13249 13250 6d4f578f _free 6 API calls 13248->13250 13251 6d4f57ce _free 6 API calls 13249->13251 13271 6d4f3cbb 13249->13271 13250->13249 13252 6d4f3ccf 13251->13252 13254 6d4f401e _free 14 API calls 13252->13254 13252->13271 13253 6d4f36cb __fassign 37 API calls 13256 6d4f3d3d 13253->13256 13255 6d4f3cdf 13254->13255 13257 6d4f3cfc 13255->13257 13258 6d4f3ce7 13255->13258 13261 6d4f57ce _free 6 API calls 13257->13261 13260 6d4f57ce _free 6 API calls 13258->13260 13259 6d4f3d34 13272 6d4f4db4 13259->13272 13262 6d4f3cf3 13260->13262 13263 6d4f3d08 13261->13263 13266 6d4f3f27 _free 14 API calls 13262->13266 13264 6d4f3d0c 13263->13264 13265 6d4f3d1b 13263->13265 13267 6d4f57ce _free 6 API calls 13264->13267 13268 6d4f39e9 _free 14 API calls 13265->13268 13266->13271 13267->13262 13269 6d4f3d26 13268->13269 13270 6d4f3f27 _free 14 API calls 13269->13270 13270->13271 13271->13253 13271->13259 13273 6d4f4ec8 __fassign 37 API calls 13272->13273 13274 6d4f4dc7 13273->13274 13291 6d4f4b5e 13274->13291 13277 6d4f4de0 13277->13220 13278 6d4f3ed9 15 API calls 13279 6d4f4df1 13278->13279 13280 6d4f4e23 13279->13280 13298 6d4f4fc3 13279->13298 13282 6d4f3f27 _free 14 API calls 13280->13282 13285 6d4f4e31 13282->13285 13284 6d4f4e1e 13286 6d4f400b _free 14 API calls 13284->13286 13285->13220 13286->13280 13287 6d4f4e65 13287->13280 13309 6d4f4a50 13287->13309 13288 6d4f4e39 13288->13287 13290 6d4f3f27 _free 14 API calls 13288->13290 13290->13287 13292 6d4f370f __fassign 37 API calls 13291->13292 13293 6d4f4b70 13292->13293 13294 6d4f4b7f GetOEMCP 13293->13294 13295 6d4f4b91 13293->13295 13296 6d4f4ba8 13294->13296 13295->13296 13297 6d4f4b96 GetACP 13295->13297 13296->13277 13296->13278 13297->13296 13299 6d4f4b5e 39 API calls 13298->13299 13300 6d4f4fe3 13299->13300 13302 6d4f501d IsValidCodePage 13300->13302 13307 6d4f5059 std::bad_exception::bad_exception 13300->13307 13301 6d4ef850 _ValidateLocalCookies 5 API calls 13303 6d4f4e16 13301->13303 13304 6d4f502f 13302->13304 13302->13307 13303->13284 13303->13288 13305 6d4f505e GetCPInfo 13304->13305 13306 6d4f5038 std::bad_exception::bad_exception 13304->13306 13305->13306 13305->13307 13317 6d4f4c34 13306->13317 13307->13301 13310 6d4f4a5c ___scrt_is_nonwritable_in_current_image 13309->13310 13398 6d4f3e7a EnterCriticalSection 13310->13398 13312 6d4f4a66 13399 6d4f4a9d 13312->13399 13318 6d4f4c5c GetCPInfo 13317->13318 13327 6d4f4d25 13317->13327 13324 6d4f4c74 13318->13324 13318->13327 13319 6d4ef850 _ValidateLocalCookies 5 API calls 13320 6d4f4db2 13319->13320 13320->13307 13328 6d4f7004 13324->13328 13326 6d4f7311 41 API calls 13326->13327 13327->13319 13329 6d4f370f __fassign 37 API calls 13328->13329 13330 6d4f7024 13329->13330 13348 6d4f52bf 13330->13348 13332 6d4f7051 13333 6d4f70e2 13332->13333 13335 6d4f3ed9 15 API calls 13332->13335 13339 6d4f7077 std::bad_exception::bad_exception 13332->13339 13334 6d4ef850 _ValidateLocalCookies 5 API calls 13333->13334 13336 6d4f4cdc 13334->13336 13335->13339 13343 6d4f7311 13336->13343 13337 6d4f70dc 13351 6d4f7107 13337->13351 13339->13337 13340 6d4f52bf __fassign MultiByteToWideChar 13339->13340 13341 6d4f70c5 13340->13341 13341->13337 13342 6d4f70cc GetStringTypeW 13341->13342 13342->13337 13344 6d4f370f __fassign 37 API calls 13343->13344 13345 6d4f7324 13344->13345 13355 6d4f7127 13345->13355 13349 6d4f52d0 MultiByteToWideChar 13348->13349 13349->13332 13352 6d4f7124 13351->13352 13353 6d4f7113 13351->13353 13352->13333 13353->13352 13354 6d4f3f27 _free 14 API calls 13353->13354 13354->13352 13356 6d4f7142 13355->13356 13357 6d4f52bf __fassign MultiByteToWideChar 13356->13357 13361 6d4f7186 13357->13361 13358 6d4f72eb 13359 6d4ef850 _ValidateLocalCookies 5 API calls 13358->13359 13360 6d4f4cfd 13359->13360 13360->13326 13361->13358 13362 6d4f3ed9 15 API calls 13361->13362 13366 6d4f71ab 13361->13366 13362->13366 13363 6d4f7250 13365 6d4f7107 __freea 14 API calls 13363->13365 13364 6d4f52bf __fassign MultiByteToWideChar 13367 6d4f71f1 13364->13367 13365->13358 13366->13363 13366->13364 13367->13363 13383 6d4f585b 13367->13383 13370 6d4f725f 13374 6d4f3ed9 15 API calls 13370->13374 13375 6d4f7271 13370->13375 13371 6d4f7227 13371->13363 13372 6d4f585b 6 API calls 13371->13372 13372->13363 13373 6d4f72dc 13377 6d4f7107 __freea 14 API calls 13373->13377 13374->13375 13375->13373 13376 6d4f585b 6 API calls 13375->13376 13378 6d4f72b9 13376->13378 13377->13363 13378->13373 13379 6d4f533b ___scrt_uninitialize_crt WideCharToMultiByte 13378->13379 13380 6d4f72d3 13379->13380 13380->13373 13381 6d4f7308 13380->13381 13382 6d4f7107 __freea 14 API calls 13381->13382 13382->13363 13389 6d4f5534 13383->13389 13387 6d4f58ac LCMapStringW 13388 6d4f586c 13387->13388 13388->13363 13388->13370 13388->13371 13390 6d4f562f _free 5 API calls 13389->13390 13391 6d4f554a 13390->13391 13391->13388 13392 6d4f58b8 13391->13392 13395 6d4f554e 13392->13395 13394 6d4f58c3 13394->13387 13396 6d4f562f _free 5 API calls 13395->13396 13397 6d4f5564 13396->13397 13397->13394 13398->13312 13409 6d4f51b6 13399->13409 13401 6d4f4abf 13402 6d4f51b6 25 API calls 13401->13402 13403 6d4f4ade 13402->13403 13404 6d4f4a73 13403->13404 13405 6d4f3f27 _free 14 API calls 13403->13405 13406 6d4f4a91 13404->13406 13405->13404 13423 6d4f3ec2 LeaveCriticalSection 13406->13423 13408 6d4f4a7f 13408->13280 13410 6d4f51c7 13409->13410 13419 6d4f51c3 ___scrt_uninitialize_crt 13409->13419 13411 6d4f51ce 13410->13411 13414 6d4f51e1 std::bad_exception::bad_exception 13410->13414 13412 6d4f400b _free 14 API calls 13411->13412 13413 6d4f51d3 13412->13413 13415 6d4f27e8 ___std_exception_copy 25 API calls 13413->13415 13416 6d4f520f 13414->13416 13417 6d4f5218 13414->13417 13414->13419 13415->13419 13418 6d4f400b _free 14 API calls 13416->13418 13417->13419 13421 6d4f400b _free 14 API calls 13417->13421 13420 6d4f5214 13418->13420 13419->13401 13422 6d4f27e8 ___std_exception_copy 25 API calls 13420->13422 13421->13420 13422->13419 13423->13408 13425 6d4f370f __fassign 37 API calls 13424->13425 13426 6d4f473a 13425->13426 13428 6d4f474c 13426->13428 13450 6d4f56f2 13426->13450 13429 6d4f48ad 13428->13429 13430 6d4f48ba 13429->13430 13431 6d4f48c9 13429->13431 13430->13230 13432 6d4f48f6 13431->13432 13433 6d4f48d1 13431->13433 13434 6d4f533b ___scrt_uninitialize_crt WideCharToMultiByte 13432->13434 13433->13430 13456 6d4f4974 13433->13456 13435 6d4f4906 13434->13435 13437 6d4f490d GetLastError 13435->13437 13438 6d4f4923 13435->13438 13439 6d4f3fd5 __dosmaperr 14 API calls 13437->13439 13440 6d4f4934 13438->13440 13442 6d4f4974 14 API calls 13438->13442 13441 6d4f4919 13439->13441 13440->13430 13443 6d4f533b ___scrt_uninitialize_crt WideCharToMultiByte 13440->13443 13445 6d4f400b _free 14 API calls 13441->13445 13442->13440 13444 6d4f494c 13443->13444 13444->13430 13446 6d4f4953 GetLastError 13444->13446 13445->13430 13447 6d4f3fd5 __dosmaperr 14 API calls 13446->13447 13448 6d4f495f 13447->13448 13449 6d4f400b _free 14 API calls 13448->13449 13449->13430 13453 6d4f551a 13450->13453 13454 6d4f562f _free 5 API calls 13453->13454 13455 6d4f5530 13454->13455 13455->13428 13457 6d4f497f 13456->13457 13458 6d4f400b _free 14 API calls 13457->13458 13459 6d4f4988 13458->13459 13459->13430 13463 6d4f5237 13460->13463 13464 6d4f370f __fassign 37 API calls 13463->13464 13465 6d4f524b 13464->13465 13465->13237 13466 6d4f32b4 13467 6d4f32cc 13466->13467 13468 6d4f32c6 13466->13468 13469 6d4f325c 14 API calls 13468->13469 13469->13467 12550 6d4c69b0 12562 6d4c69d0 std::bad_exception::bad_exception 12550->12562 12551 6d4cdef2 NtReadVirtualMemory 12551->12562 12552 6d4cbc71 NtReadVirtualMemory 12552->12562 12553 6d4ca0fc NtWriteVirtualMemory 12553->12562 12554 6d4c9b3b NtGetContextThread 12554->12562 12555 6d4ccef9 NtCreateThreadEx 12555->12562 12556 6d4ced3c NtReadVirtualMemory 12556->12562 12557 6d4cab7c NtWriteVirtualMemory 12557->12562 12558 6d4ce7cc NtWriteVirtualMemory 12559 6d4ce889 12558->12559 12559->12562 12560 6d4c8dc1 GetConsoleWindow ShowWindow 12589 6d4bea10 12560->12589 12562->12551 12562->12552 12562->12553 12562->12554 12562->12555 12562->12556 12562->12557 12562->12558 12562->12560 12563 6d4bea10 32 API calls 12562->12563 12565 6d4c9f43 NtAllocateVirtualMemory 12562->12565 12566 6d4cd659 VirtualAlloc 12562->12566 12569 6d4cee51 NtWriteVirtualMemory 12562->12569 12570 6d4cd533 CloseHandle CloseHandle 12562->12570 12571 6d4ce477 NtSetContextThread NtResumeThread 12562->12571 12572 6d4cd6db NtGetContextThread 12562->12572 12573 6d4cbe2e NtWriteVirtualMemory 12562->12573 12574 6d4ca6ee NtWriteVirtualMemory 12562->12574 12575 6d4ce234 NtWriteVirtualMemory 12562->12575 12576 6d4ceb73 NtWriteVirtualMemory 12562->12576 12577 6d4cc756 NtWriteVirtualMemory 12562->12577 12578 6d4c92ae VirtualAlloc 12562->12578 12579 6d4ce676 VirtualAlloc 12562->12579 12580 6d4cd72b NtAllocateVirtualMemory 12562->12580 12581 6d4cd574 12562->12581 12584 6d4cd2a4 NtSetContextThread NtResumeThread 12562->12584 12585 6d4cd998 NtWriteVirtualMemory 12562->12585 12586 6d4ce70a NtAllocateVirtualMemory 12562->12586 12587 6d4c9a48 CreateProcessW 12562->12587 12588 6d4ceeb7 NtSetContextThread NtResumeThread 12562->12588 12622 6d4c55b0 12562->12622 12633 6d4be610 12562->12633 12563->12562 12565->12562 12566->12562 12569->12562 12570->12562 12571->12562 12572->12562 12573->12562 12574->12562 12575->12562 12576->12562 12577->12562 12578->12562 12579->12562 12580->12562 12582 6d4ef850 _ValidateLocalCookies 5 API calls 12581->12582 12583 6d4cd57e 12582->12583 12584->12562 12585->12562 12586->12562 12587->12562 12588->12562 12616 6d4bea38 ___scrt_uninitialize_crt 12589->12616 12590 6d4c1b68 CloseHandle 12590->12616 12591 6d4bfc3f GetModuleHandleA 12591->12616 12592 6d4bfc1c ___scrt_uninitialize_crt std::bad_exception::bad_exception 12592->12591 12593 6d4c2aa3 GetModuleHandleA 12592->12593 12596 6d4c204e GetModuleHandleA 12592->12596 12592->12616 12593->12616 12594 6d4c2ae9 GetModuleFileNameA 12594->12616 12595 6d4c21d7 GetModuleFileNameA 12595->12616 12596->12616 12597 6d4c1a45 CloseHandle 12597->12616 12598 6d4c25ba VirtualProtect 12598->12616 12599 6d4c1c82 CloseHandle 12599->12616 12600 6d4c2839 GetModuleFileNameA 12600->12616 12601 6d4c148d VirtualProtect 12601->12616 12602 6d4c0427 GetModuleFileNameA 12602->12616 12603 6d4c1fa4 12604 6d4ef850 _ValidateLocalCookies 5 API calls 12603->12604 12605 6d4c1fae 12604->12605 12605->12562 12606 6d4c28b4 CloseHandle 12606->12616 12607 6d4c27bc K32GetModuleInformation 12607->12616 12608 6d4c05e3 CreateFileA 12608->12616 12609 6d4c264b CloseHandle 12609->12616 12610 6d4c0b8b MapViewOfFile 12610->12616 12611 6d4c2951 VirtualProtect 12611->12592 12612 6d4c275c GetCurrentProcess 12612->12616 12613 6d4c2628 CloseHandle 12613->12616 12614 6d4c068f CreateFileMappingA 12614->12616 12615 6d4c0ace CloseHandle 12615->12616 12616->12590 12616->12592 12616->12594 12616->12595 12616->12597 12616->12598 12616->12599 12616->12600 12616->12601 12616->12602 12616->12603 12616->12606 12616->12607 12616->12608 12616->12609 12616->12610 12616->12611 12616->12612 12616->12613 12616->12614 12616->12615 12617 6d4c2a44 CloseHandle 12616->12617 12618 6d4c2500 VirtualProtect 12616->12618 12619 6d4c00eb K32GetModuleInformation 12616->12619 12620 6d4bf9e7 GetCurrentProcess 12616->12620 12621 6d4c172b VirtualProtect 12616->12621 12617->12616 12618->12592 12619->12616 12620->12616 12621->12616 12629 6d4c5609 std::bad_exception::bad_exception 12622->12629 12623 6d4c6427 GetModuleHandleW 12624 6d4c2b60 5 API calls 12623->12624 12625 6d4c5c92 12624->12625 12625->12629 12626 6d4c63b8 12627 6d4ef850 _ValidateLocalCookies 5 API calls 12626->12627 12628 6d4c63c8 NtAllocateVirtualMemory 12627->12628 12628->12562 12629->12623 12629->12626 12630 6d4c5d3f NtQueryInformationProcess 12629->12630 12631 6d4c5c52 GetModuleHandleW 12629->12631 12630->12629 12637 6d4c2b60 12631->12637 12634 6d4be636 12633->12634 12635 6d4ef850 _ValidateLocalCookies 5 API calls 12634->12635 12636 6d4be9cb 12635->12636 12636->12562 12638 6d4c2bd1 12637->12638 12639 6d4ef850 _ValidateLocalCookies 5 API calls 12638->12639 12640 6d4c4ff6 12639->12640 12640->12625 13470 6d4ec570 13474 6d4ec5c5 13470->13474 13471 6d4ece69 13472 6d4ef850 _ValidateLocalCookies 5 API calls 13471->13472 13473 6d4ece73 13472->13473 13474->13471 13475 6d4ec020 19 API calls 13474->13475 13475->13474 13476 6d4e85f0 13480 6d4e8611 13476->13480 13477 6d4e8861 13478 6d4ef850 _ValidateLocalCookies 5 API calls 13477->13478 13479 6d4e8871 13478->13479 13480->13477 13481 6d4e88a0 std::bad_exception::bad_exception 25 API calls 13480->13481 13481->13480 13482 6d4f4231 13483 6d4f4241 13482->13483 13492 6d4f4255 13482->13492 13484 6d4f400b _free 14 API calls 13483->13484 13485 6d4f4246 13484->13485 13486 6d4f27e8 ___std_exception_copy 25 API calls 13485->13486 13488 6d4f4250 13486->13488 13487 6d4f30df 14 API calls 13494 6d4f4331 13487->13494 13489 6d4f42cc 13489->13487 13489->13489 13491 6d4f433a 13493 6d4f3f27 _free 14 API calls 13491->13493 13492->13489 13496 6d4f4345 13492->13496 13503 6d4f4420 13492->13503 13493->13496 13494->13491 13498 6d4f4415 13494->13498 13521 6d4f6f11 13494->13521 13499 6d4f3f27 _free 14 API calls 13496->13499 13502 6d4f4401 13496->13502 13497 6d4f3f27 _free 14 API calls 13497->13488 13500 6d4f2815 ___std_exception_copy 11 API calls 13498->13500 13499->13496 13501 6d4f441f 13500->13501 13502->13497 13504 6d4f442c 13503->13504 13504->13504 13505 6d4f401e _free 14 API calls 13504->13505 13506 6d4f445a 13505->13506 13507 6d4f6f11 25 API calls 13506->13507 13508 6d4f4486 13507->13508 13509 6d4f2815 ___std_exception_copy 11 API calls 13508->13509 13510 6d4f44d0 13509->13510 13511 6d4f4728 37 API calls 13510->13511 13512 6d4f4598 13511->13512 13530 6d4f4214 13512->13530 13515 6d4f45e6 13516 6d4f4728 37 API calls 13515->13516 13517 6d4f4623 13516->13517 13533 6d4f4145 13517->13533 13520 6d4f4420 43 API calls 13525 6d4f6e5e 13521->13525 13522 6d4f6e76 13523 6d4f6e8a 13522->13523 13524 6d4f400b _free 14 API calls 13522->13524 13523->13494 13526 6d4f6e80 13524->13526 13525->13522 13525->13523 13528 6d4f6eae 13525->13528 13527 6d4f27e8 ___std_exception_copy 25 API calls 13526->13527 13527->13523 13528->13523 13529 6d4f400b _free 14 API calls 13528->13529 13529->13526 13556 6d4f4093 13530->13556 13534 6d4f416f 13533->13534 13535 6d4f4153 13533->13535 13537 6d4f4196 13534->13537 13538 6d4f4176 13534->13538 13536 6d4f4767 14 API calls 13535->13536 13540 6d4f415d 13536->13540 13539 6d4f533b ___scrt_uninitialize_crt WideCharToMultiByte 13537->13539 13538->13540 13586 6d4f4781 13538->13586 13541 6d4f41a6 13539->13541 13540->13520 13543 6d4f41ad GetLastError 13541->13543 13544 6d4f41c3 13541->13544 13545 6d4f3fd5 __dosmaperr 14 API calls 13543->13545 13546 6d4f41d4 13544->13546 13548 6d4f4781 15 API calls 13544->13548 13547 6d4f41b9 13545->13547 13546->13540 13549 6d4f533b ___scrt_uninitialize_crt WideCharToMultiByte 13546->13549 13550 6d4f400b _free 14 API calls 13547->13550 13548->13546 13551 6d4f41ec 13549->13551 13550->13540 13551->13540 13552 6d4f41f3 GetLastError 13551->13552 13553 6d4f3fd5 __dosmaperr 14 API calls 13552->13553 13554 6d4f41ff 13553->13554 13555 6d4f400b _free 14 API calls 13554->13555 13555->13540 13557 6d4f40bb 13556->13557 13558 6d4f40a1 13556->13558 13559 6d4f40c2 13557->13559 13560 6d4f40e1 13557->13560 13574 6d4f4767 13558->13574 13573 6d4f40ab FindFirstFileExW 13559->13573 13578 6d4f47bd 13559->13578 13562 6d4f52bf __fassign MultiByteToWideChar 13560->13562 13564 6d4f40f0 13562->13564 13565 6d4f40f7 GetLastError 13564->13565 13567 6d4f411d 13564->13567 13568 6d4f47bd 15 API calls 13564->13568 13566 6d4f3fd5 __dosmaperr 14 API calls 13565->13566 13570 6d4f4103 13566->13570 13569 6d4f52bf __fassign MultiByteToWideChar 13567->13569 13567->13573 13568->13567 13571 6d4f4134 13569->13571 13572 6d4f400b _free 14 API calls 13570->13572 13571->13565 13571->13573 13572->13573 13573->13515 13575 6d4f477a 13574->13575 13576 6d4f4772 13574->13576 13575->13573 13577 6d4f3f27 _free 14 API calls 13576->13577 13577->13575 13579 6d4f4767 14 API calls 13578->13579 13580 6d4f47cb 13579->13580 13583 6d4f47fc 13580->13583 13584 6d4f3ed9 15 API calls 13583->13584 13585 6d4f47dc 13584->13585 13585->13573 13587 6d4f4767 14 API calls 13586->13587 13588 6d4f478f 13587->13588 13589 6d4f47fc 15 API calls 13588->13589 13590 6d4f479d 13589->13590 13590->13540 13591 6d4f6970 13592 6d4f69aa 13591->13592 13593 6d4f400b _free 14 API calls 13592->13593 13598 6d4f69be 13592->13598 13594 6d4f69b3 13593->13594 13595 6d4f27e8 ___std_exception_copy 25 API calls 13594->13595 13595->13598 13596 6d4ef850 _ValidateLocalCookies 5 API calls 13597 6d4f69cb 13596->13597 13598->13596

                                                                                                                                                              Executed Functions

                                                                                                                                                              Function 6D4C69B0 Relevance: 113.7, APIs: 34, Strings: 26, Instructions: 8741nativethreadmemoryCOMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              APIs
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: Virtual$Memory$Write$Thread$Context$Allocate$AllocResume$CloseCreateHandleReadWindow$ConsoleProcessShow
                                                                                                                                                              • String ID: ^L$'`a$'`a$-VMN$4:q&$4Ou\$54$54$7HXQ$@$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$NFdu$NFdu$T[~.$T[~.$d7V+$fZ>$g^/V$j0$j0$kernel32.dll$ntdll.dll$ur$'K1
                                                                                                                                                              • API String ID: 683547147-620754675
                                                                                                                                                              • Opcode ID: 95e697d452a2f06b6ba666e3564973ce48208f6bac69c22b008a24a495713578
                                                                                                                                                              • Instruction ID: 77dd1580c2e51cbba3f10faf7b089544d5f6aadd864556e7ccc5652bc97aedb4
                                                                                                                                                              • Opcode Fuzzy Hash: 95e697d452a2f06b6ba666e3564973ce48208f6bac69c22b008a24a495713578
                                                                                                                                                              • Instruction Fuzzy Hash: 70E3253AA542118FCF15CE3CC9D5BD97BF2BB86311F108598D419DB7A4C63A8D8A8F42
                                                                                                                                                              Function 6D4BEA10 Relevance: 72.6, APIs: 27, Strings: 12, Instructions: 4382memoryfileCOMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              APIs
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: Handle$Close$FileModule$ProtectVirtual$Name$CreateCurrentInformationProcess$MappingView
                                                                                                                                                              • String ID: #(q$#(q$(i!$=T3$@$IT\g$IT\g$XX$XX$d1A$t0O$6|Q
                                                                                                                                                              • API String ID: 753040704-289776380
                                                                                                                                                              • Opcode ID: 3b417dd48233a1fa76aeb27f6b14d592e609b578cb77a8a1dfcd470281dea0e4
                                                                                                                                                              • Instruction ID: 1c70e043467033072569d51d14a9aa322f36bf15c8be9f9c429efddc51227bb0
                                                                                                                                                              • Opcode Fuzzy Hash: 3b417dd48233a1fa76aeb27f6b14d592e609b578cb77a8a1dfcd470281dea0e4
                                                                                                                                                              • Instruction Fuzzy Hash: A073F03AA542158FCF14CE3CC9D4BDA37F2AB46360F10D669D419DB394DB369D8A8B02
                                                                                                                                                              Function 6D4C55B0 Relevance: 16.8, APIs: 3, Strings: 6, Instructions: 1054COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 1663 6d4c55b0-6d4c5602 1664 6d4c5609-6d4c5614 1663->1664 1665 6d4c561a-6d4c5627 1664->1665 1666 6d4c641b-6d4c6422 1664->1666 1669 6d4c562d-6d4c563a 1665->1669 1670 6d4c5acb-6d4c5b39 1665->1670 1668 6d4c649e 1666->1668 1668->1664 1672 6d4c5ee9-6d4c5eff 1669->1672 1673 6d4c5640-6d4c564d 1669->1673 1670->1668 1672->1668 1675 6d4c62cb-6d4c62d2 1673->1675 1676 6d4c5653-6d4c5660 1673->1676 1675->1668 1678 6d4c6155-6d4c6164 1676->1678 1679 6d4c5666-6d4c5673 1676->1679 1678->1668 1681 6d4c5679-6d4c5686 1679->1681 1682 6d4c648b-6d4c6492 1679->1682 1684 6d4c568c-6d4c5699 1681->1684 1685 6d4c61e8-6d4c6229 1681->1685 1682->1668 1687 6d4c569f-6d4c56ac 1684->1687 1688 6d4c5a60-6d4c5ac6 1684->1688 1685->1668 1690 6d4c5b3e-6d4c5b8d 1687->1690 1691 6d4c56b2-6d4c56bf 1687->1691 1688->1668 1690->1668 1693 6d4c5fc5-6d4c600e 1691->1693 1694 6d4c56c5-6d4c56d2 1691->1694 1693->1668 1696 6d4c622e-6d4c626f 1694->1696 1697 6d4c56d8-6d4c56e5 1694->1697 1696->1668 1699 6d4c56eb-6d4c56f8 1697->1699 1700 6d4c6013-6d4c6065 1697->1700 1702 6d4c56fe-6d4c570b 1699->1702 1703 6d4c6143-6d4c6150 1699->1703 1700->1668 1705 6d4c5be0-6d4c5be7 1702->1705 1706 6d4c5711-6d4c571e 1702->1706 1703->1668 1705->1668 1708 6d4c5724-6d4c5731 1706->1708 1709 6d4c63d3-6d4c63da 1706->1709 1711 6d4c5f77-6d4c5fc0 1708->1711 1712 6d4c5737-6d4c5744 1708->1712 1709->1668 1711->1668 1714 6d4c574a-6d4c5757 1712->1714 1715 6d4c6427-6d4c6462 GetModuleHandleW call 6d4c2b60 1712->1715 1718 6d4c575d-6d4c576a 1714->1718 1719 6d4c6467-6d4c646e 1714->1719 1715->1668 1722 6d4c6169-6d4c6170 1718->1722 1723 6d4c5770-6d4c577d 1718->1723 1719->1668 1722->1668 1725 6d4c63b8-6d4c63d2 call 6d4ef850 1723->1725 1726 6d4c5783-6d4c5790 1723->1726 1730 6d4c612f-6d4c613e 1726->1730 1731 6d4c5796-6d4c57a3 1726->1731 1730->1668 1733 6d4c57a9-6d4c57b6 1731->1733 1734 6d4c59c7-6d4c59e8 1731->1734 1736 6d4c57bc-6d4c57c9 1733->1736 1737 6d4c5d17-6d4c5d8f call 6d4f0620 NtQueryInformationProcess 1733->1737 1734->1668 1740 6d4c57cf-6d4c57dc 1736->1740 1741 6d4c6175-6d4c61e3 1736->1741 1737->1668 1744 6d4c63fa-6d4c640a 1740->1744 1745 6d4c57e2-6d4c57ef 1740->1745 1741->1668 1744->1668 1747 6d4c5d0b-6d4c5d12 1745->1747 1748 6d4c57f5-6d4c5802 1745->1748 1747->1668 1750 6d4c5808-6d4c5815 1748->1750 1751 6d4c6274-6d4c62c6 1748->1751 1753 6d4c581b-6d4c5828 1750->1753 1754 6d4c62d7-6d4c6320 1750->1754 1751->1668 1756 6d4c582e-6d4c583b 1753->1756 1757 6d4c647f-6d4c6486 1753->1757 1754->1668 1759 6d4c63a4-6d4c63b3 1756->1759 1760 6d4c5841-6d4c584e 1756->1760 1757->1668 1759->1668 1762 6d4c5bec-6d4c5bff 1760->1762 1763 6d4c5854-6d4c5861 1760->1763 1762->1668 1765 6d4c63df-6d4c63e6 1763->1765 1766 6d4c5867-6d4c5874 1763->1766 1765->1668 1768 6d4c587a-6d4c5887 1766->1768 1769 6d4c6473-6d4c647a 1766->1769 1771 6d4c588d-6d4c589a 1768->1771 1772 6d4c63eb-6d4c63f5 1768->1772 1769->1668 1774 6d4c58a0-6d4c58ad 1771->1774 1775 6d4c5de2-6d4c5e2b 1771->1775 1772->1668 1777 6d4c5c52-6d4c5d06 GetModuleHandleW call 6d4c2b60 1774->1777 1778 6d4c58b3-6d4c58c0 1774->1778 1775->1668 1777->1668 1782 6d4c6325-6d4c6393 1778->1782 1783 6d4c58c6-6d4c58d3 1778->1783 1782->1668 1785 6d4c58d9-6d4c58e6 1783->1785 1786 6d4c5e9b-6d4c5ee4 1783->1786 1788 6d4c58ec-6d4c58f9 1785->1788 1789 6d4c60dd-6d4c611e 1785->1789 1786->1668 1791 6d4c58ff-6d4c590c 1788->1791 1792 6d4c6123-6d4c612a 1788->1792 1789->1668 1794 6d4c5e30-6d4c5e96 1791->1794 1795 6d4c5912-6d4c591f 1791->1795 1792->1668 1794->1668 1797 6d4c5f04-6d4c5f72 1795->1797 1798 6d4c5925-6d4c5932 1795->1798 1797->1668 1800 6d4c5938-6d4c5945 1798->1800 1801 6d4c5d94-6d4c5ddd 1798->1801 1803 6d4c594b-6d4c5958 1800->1803 1804 6d4c5c04-6d4c5c4d 1800->1804 1801->1668 1806 6d4c595e-6d4c596b 1803->1806 1807 6d4c6398-6d4c639f 1803->1807 1804->1668 1809 6d4c59ed-6d4c5a5b 1806->1809 1810 6d4c5971-6d4c597e 1806->1810 1807->1668 1809->1668 1812 6d4c5984-6d4c5991 1810->1812 1813 6d4c5b92-6d4c5bdb 1810->1813 1815 6d4c606a-6d4c60d8 1812->1815 1816 6d4c5997-6d4c59a4 1812->1816 1813->1668 1815->1668 1818 6d4c59aa-6d4c59b7 1816->1818 1819 6d4c6497 1816->1819 1821 6d4c59bd-6d4c59c2 1818->1821 1822 6d4c640f-6d4c6416 1818->1822 1819->1668 1821->1668 1822->1668
                                                                                                                                                              APIs
                                                                                                                                                              • GetModuleHandleW.KERNEL32(?,?,?,?,?,?), ref: 6D4C5C75
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                              • String ID: ?;Ap$NtQueryInformationProcess$^(&>$ntdll.dll$|4vB$|4vB
                                                                                                                                                              • API String ID: 4139908857-977781304
                                                                                                                                                              • Opcode ID: 62e2cb42acda80bcfebcb55276af4e3997df8e1e5b7f945cf895e15841ce3a83
                                                                                                                                                              • Instruction ID: 3cc940f372046211ff5096c0c21ac8cebc711730761052fa5fee4df0902a2fe4
                                                                                                                                                              • Opcode Fuzzy Hash: 62e2cb42acda80bcfebcb55276af4e3997df8e1e5b7f945cf895e15841ce3a83
                                                                                                                                                              • Instruction Fuzzy Hash: 4272F03AA642018FCF05CE7CC694BED7BF2AB42364F20C515D415DB7A4D6269D0BCB4A
                                                                                                                                                              Function 6D4EFA1E Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 1824 6d4efa1e-6d4efa31 call 6d4f02d0 1827 6d4efa37-6d4efa59 call 6d4efeb8 1824->1827 1828 6d4efa33-6d4efa35 1824->1828 1832 6d4efa5b-6d4efa9e call 6d4eff83 call 6d4efe3f call 6d4f02a1 call 6d4efab3 call 6d4f0124 call 6d4efac0 1827->1832 1833 6d4efac6-6d4efadf call 6d4f0152 call 6d4f02d0 1827->1833 1829 6d4efaa0-6d4efaaf 1828->1829 1832->1829 1845 6d4efaf0-6d4efaf7 1833->1845 1846 6d4efae1-6d4efae7 1833->1846 1848 6d4efaf9-6d4efafc 1845->1848 1849 6d4efb03-6d4efb17 dllmain_raw 1845->1849 1846->1845 1850 6d4efae9-6d4efaeb 1846->1850 1848->1849 1853 6d4efafe-6d4efb01 1848->1853 1854 6d4efb1d-6d4efb2e dllmain_crt_dispatch 1849->1854 1855 6d4efbc0-6d4efbc7 1849->1855 1851 6d4efbc9-6d4efbd8 1850->1851 1857 6d4efb34-6d4efb46 call 6d4cefa0 1853->1857 1854->1855 1854->1857 1855->1851 1863 6d4efb6f-6d4efb71 1857->1863 1864 6d4efb48-6d4efb4a 1857->1864 1866 6d4efb78-6d4efb89 dllmain_crt_dispatch 1863->1866 1867 6d4efb73-6d4efb76 1863->1867 1864->1863 1865 6d4efb4c-6d4efb6a call 6d4cefa0 call 6d4efa1e dllmain_raw 1864->1865 1865->1863 1866->1855 1868 6d4efb8b-6d4efbbd dllmain_raw 1866->1868 1867->1855 1867->1866 1868->1855
                                                                                                                                                              APIs
                                                                                                                                                              • __RTC_Initialize.LIBCMT ref: 6D4EFA65
                                                                                                                                                              • ___scrt_uninitialize_crt.LIBCMT ref: 6D4EFA7F
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: Initialize___scrt_uninitialize_crt
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 2442719207-0
                                                                                                                                                              • Opcode ID: cbf058efe00b5afccd407c909435f2236cf3207e3fc6224fcdd02495c965c5a9
                                                                                                                                                              • Instruction ID: edb0623504e0f2a1e7459010d1c9426fd908287d932997a2a0042ab4a74ed086
                                                                                                                                                              • Opcode Fuzzy Hash: cbf058efe00b5afccd407c909435f2236cf3207e3fc6224fcdd02495c965c5a9
                                                                                                                                                              • Instruction Fuzzy Hash: 7E41D372E0A219BFDB11CF69EC40F6E3A74EBC47E6F12411AEA146B250D7708D428BD0
                                                                                                                                                              Function 6D4EFACE Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 1874 6d4eface-6d4efadf call 6d4f02d0 1877 6d4efaf0-6d4efaf7 1874->1877 1878 6d4efae1-6d4efae7 1874->1878 1879 6d4efaf9-6d4efafc 1877->1879 1880 6d4efb03-6d4efb17 dllmain_raw 1877->1880 1878->1877 1881 6d4efae9-6d4efaeb 1878->1881 1879->1880 1883 6d4efafe-6d4efb01 1879->1883 1884 6d4efb1d-6d4efb2e dllmain_crt_dispatch 1880->1884 1885 6d4efbc0-6d4efbc7 1880->1885 1882 6d4efbc9-6d4efbd8 1881->1882 1886 6d4efb34-6d4efb46 call 6d4cefa0 1883->1886 1884->1885 1884->1886 1885->1882 1889 6d4efb6f-6d4efb71 1886->1889 1890 6d4efb48-6d4efb4a 1886->1890 1892 6d4efb78-6d4efb89 dllmain_crt_dispatch 1889->1892 1893 6d4efb73-6d4efb76 1889->1893 1890->1889 1891 6d4efb4c-6d4efb6a call 6d4cefa0 call 6d4efa1e dllmain_raw 1890->1891 1891->1889 1892->1885 1894 6d4efb8b-6d4efbbd dllmain_raw 1892->1894 1893->1885 1893->1892 1894->1885
                                                                                                                                                              APIs
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: dllmain_raw$dllmain_crt_dispatch
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 3136044242-0
                                                                                                                                                              • Opcode ID: 101bb9aec922bbae927d97772472d0f358a28c952bcf7864361293e538e48e00
                                                                                                                                                              • Instruction ID: 264c7ddede44f0818a7e70fe37fed5e972cde4b2d124f1ccbdb8ab52fbdf481e
                                                                                                                                                              • Opcode Fuzzy Hash: 101bb9aec922bbae927d97772472d0f358a28c952bcf7864361293e538e48e00
                                                                                                                                                              • Instruction Fuzzy Hash: AB219172D0621ABFDB11CE55EC50E7F3A68EBC07D6B12415AFA146B250E3308D418BD0
                                                                                                                                                              Function 6D4EF917 Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 1900 6d4ef917-6d4ef92d call 6d4f02d0 call 6d4effb3 1905 6d4efa04 1900->1905 1906 6d4ef933-6d4ef94b call 6d4efeb8 1900->1906 1907 6d4efa06-6d4efa15 1905->1907 1910 6d4efa16-6d4efa1d call 6d4f0152 1906->1910 1911 6d4ef951-6d4ef962 call 6d4eff15 1906->1911 1916 6d4ef964-6d4ef97d call 6d4f0275 call 6d4efe33 call 6d4efe57 call 6d4f29de 1911->1916 1917 6d4ef9b1-6d4ef9bf call 6d4ef9fa 1911->1917 1934 6d4ef982-6d4ef986 1916->1934 1917->1905 1922 6d4ef9c1-6d4ef9cb call 6d4f014c 1917->1922 1928 6d4ef9ec-6d4ef9f5 1922->1928 1929 6d4ef9cd-6d4ef9d6 call 6d4f0073 1922->1929 1928->1907 1929->1928 1935 6d4ef9d8-6d4ef9ea 1929->1935 1934->1917 1936 6d4ef988-6d4ef98f call 6d4efeea 1934->1936 1935->1928 1936->1917 1940 6d4ef991-6d4ef9ae call 6d4f2999 1936->1940 1940->1917
                                                                                                                                                              APIs
                                                                                                                                                              • __RTC_Initialize.LIBCMT ref: 6D4EF964
                                                                                                                                                                • Part of subcall function 6D4EFE33: InitializeSListHead.KERNEL32(6D54DE50,6D4EF96E,6D5008C0,00000010,6D4EF8FF,?,?,?,6D4EFB27,?,00000001,?,?,00000001,?,6D500908), ref: 6D4EFE38
                                                                                                                                                              • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6D4EF9CE
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 3231365870-0
                                                                                                                                                              • Opcode ID: 1e6b6e787053e30a6b82ee86426827af57306c52922a3eda53c68eafa689a689
                                                                                                                                                              • Instruction ID: 82cd4c370a4eeb0469fe59de9c1663e292bb1db2be00480a1966388faa614320
                                                                                                                                                              • Opcode Fuzzy Hash: 1e6b6e787053e30a6b82ee86426827af57306c52922a3eda53c68eafa689a689
                                                                                                                                                              • Instruction Fuzzy Hash: 6821C63214E246BEDF00EF64B544FAE37615F973AEF61401EDA806B2D2CB621D82C6D5
                                                                                                                                                              Function 6D4F401E Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 1943 6d4f401e-6d4f4029 1944 6d4f402b-6d4f4035 1943->1944 1945 6d4f4037-6d4f403d 1943->1945 1944->1945 1946 6d4f406b-6d4f4076 call 6d4f400b 1944->1946 1947 6d4f403f-6d4f4040 1945->1947 1948 6d4f4056-6d4f4067 RtlAllocateHeap 1945->1948 1953 6d4f4078-6d4f407a 1946->1953 1947->1948 1949 6d4f4069 1948->1949 1950 6d4f4042-6d4f4049 call 6d4f695d 1948->1950 1949->1953 1950->1946 1956 6d4f404b-6d4f4054 call 6d4f28ea 1950->1956 1956->1946 1956->1948
                                                                                                                                                              APIs
                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6D4F3D89,00000001,00000364,FFFFFFFF,000000FF,?,00000001,6D4F4010,6D4F3F4D,?,?,6D4F3439), ref: 6D4F405F
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: AllocateHeap
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 1279760036-0
                                                                                                                                                              • Opcode ID: d258ea86f9a78eaeb899b18e4e0e532ce4c5a20676b60630e7c501b7079e7a0a
                                                                                                                                                              • Instruction ID: d3723c88ac6613da84d682f8fd953575810bba3f58818188522fe5ef66fb74c8
                                                                                                                                                              • Opcode Fuzzy Hash: d258ea86f9a78eaeb899b18e4e0e532ce4c5a20676b60630e7c501b7079e7a0a
                                                                                                                                                              • Instruction Fuzzy Hash: 73F0BB312445355EDB119A55CD04F6B3768EFC67E0B114515E82DE7270CF20DC0385D5

                                                                                                                                                              Non-executed Functions

                                                                                                                                                              Function 6D4C2B60 Relevance: 12.9, Strings: 8, Instructions: 2893COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: S[Aw$UM^M$UM^M$Ztb_$se(&$MA$MA$k25
                                                                                                                                                              • API String ID: 0-2283769935
                                                                                                                                                              • Opcode ID: d6060538cf8972e20a2aba7f0d2ac943f4786038ccef2adf098d4454f3928844
                                                                                                                                                              • Instruction ID: 633735597dbb437f33119badf3d1951f72ad490532e08d73a73808f72dac404a
                                                                                                                                                              • Opcode Fuzzy Hash: d6060538cf8972e20a2aba7f0d2ac943f4786038ccef2adf098d4454f3928844
                                                                                                                                                              • Instruction Fuzzy Hash: 1623EF3AA502118FDF15CE3CC994BDD77F2AB47320F10D5599819DB399CA3A8D8A8F12
                                                                                                                                                              Function 6D4D15B0 Relevance: 7.8, Strings: 5, Instructions: 1588COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: %n$%n$G0wC$G0wC$ymf*
                                                                                                                                                              • API String ID: 0-2180225338
                                                                                                                                                              • Opcode ID: 6121cf46bf257245de40548289b148f15033d147feb640862c8c11f0af69cc32
                                                                                                                                                              • Instruction ID: e7806039dec3b8567139cdae3e470929ce9e7c3bd74dd2e458f38d116c56d048
                                                                                                                                                              • Opcode Fuzzy Hash: 6121cf46bf257245de40548289b148f15033d147feb640862c8c11f0af69cc32
                                                                                                                                                              • Instruction Fuzzy Hash: 51B20332A541818FCF09CEBCC9E5BDD3BE2FB82325F159519D811DB798CB6A8C4A9701
                                                                                                                                                              Function 6D4E5BE0 Relevance: 7.7, Strings: 5, Instructions: 1441COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: >:"v$St$St$uut$uut
                                                                                                                                                              • API String ID: 0-2352700851
                                                                                                                                                              • Opcode ID: 87aa6daff17bfb791cf0d57e5f3645923c06573fbb57d990b06807a334349aa5
                                                                                                                                                              • Instruction ID: b5a9cf4425a7836895ed7766e53e3f75402123dffa1d17b1db55bb950d1181f2
                                                                                                                                                              • Opcode Fuzzy Hash: 87aa6daff17bfb791cf0d57e5f3645923c06573fbb57d990b06807a334349aa5
                                                                                                                                                              • Instruction Fuzzy Hash: 56A26772A502019FCF05CF7CC594BDD7BF2AB423A6F218A15E925DB794C2269D0BCB41
                                                                                                                                                              Function 6D4E3D40 Relevance: 6.9, Strings: 4, Instructions: 1851COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: 3Y/R$3Y/R$d)Jd$<d
                                                                                                                                                              • API String ID: 0-3994705701
                                                                                                                                                              • Opcode ID: 9ffc2be5d62d742dbd3493b125255995320a6be5a221c3d32000f2c46a6ea215
                                                                                                                                                              • Instruction ID: 2cb57948d88148b3b74e8c6adc6a68a50157746350b12392781f1645ece9fb7d
                                                                                                                                                              • Opcode Fuzzy Hash: 9ffc2be5d62d742dbd3493b125255995320a6be5a221c3d32000f2c46a6ea215
                                                                                                                                                              • Instruction Fuzzy Hash: B1D28732A602029FDF09CE7CD5D57ED77F2AB463A2F259515D421CB7A8C62A8D0ACF01
                                                                                                                                                              Function 6D4D5DD0 Relevance: 6.8, Strings: 4, Instructions: 1841COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: e?9$n_]A$n_]A$pu7(
                                                                                                                                                              • API String ID: 0-686607234
                                                                                                                                                              • Opcode ID: 421933262e56f63dfa916cdeb50b5ea7c35644f270c9d0b1c22485f9eb75c029
                                                                                                                                                              • Instruction ID: a2e5f74755af47cc626801a0f4ce2f5cd2d86fd67a3bdcf47458f63068e628a2
                                                                                                                                                              • Opcode Fuzzy Hash: 421933262e56f63dfa916cdeb50b5ea7c35644f270c9d0b1c22485f9eb75c029
                                                                                                                                                              • Instruction Fuzzy Hash: A9D23532A545028FCF49CE7CC5E5BDD3BF2AB46360F15D519D822DB798C62A8C0ACB42
                                                                                                                                                              Function 6D4DA730 Relevance: 6.3, Strings: 4, Instructions: 1337COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: mx$K$m \$y73$y73
                                                                                                                                                              • API String ID: 0-885510288
                                                                                                                                                              • Opcode ID: dba37524b2e64ed27696591871453b14036ca9457fcde1c28ba1ff547fe9bc23
                                                                                                                                                              • Instruction ID: e9976fe3c2a84d458ff06a7271285839ff8d22d17fd94683d0a33ab55045dd92
                                                                                                                                                              • Opcode Fuzzy Hash: dba37524b2e64ed27696591871453b14036ca9457fcde1c28ba1ff547fe9bc23
                                                                                                                                                              • Instruction Fuzzy Hash: 8FA21376A542458FCF05CE7CC9A5BDE7BF2BB46320F108619D865DB794C3369C0A8B11
                                                                                                                                                              Function 6D4F0152 Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              APIs
                                                                                                                                                              • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6D4F015E
                                                                                                                                                              • IsDebuggerPresent.KERNEL32 ref: 6D4F022A
                                                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6D4F024A
                                                                                                                                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 6D4F0254
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 254469556-0
                                                                                                                                                              • Opcode ID: fddf42b44f54aa0002a93dfe8e4dbc09f54a514849d3b01b7f9c4735971db8e0
                                                                                                                                                              • Instruction ID: 891f0311c9bd654f30db92be1b1c505b6284b8adea134b3d65f49bd049c8b0a9
                                                                                                                                                              • Opcode Fuzzy Hash: fddf42b44f54aa0002a93dfe8e4dbc09f54a514849d3b01b7f9c4735971db8e0
                                                                                                                                                              • Instruction Fuzzy Hash: C1312575D0521C9BEF10DFA1D989BCDBBB8FF88304F1040AAE408AB250EB719E858F54
                                                                                                                                                              Function 6D4E1260 Relevance: 5.9, Strings: 4, Instructions: 897COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: K3$ K3$" (S$" (S
                                                                                                                                                              • API String ID: 0-1294071290
                                                                                                                                                              • Opcode ID: 458227704650c7c7c09461148cfb2d83d35d3d8a81c21fbada31f57060679c5a
                                                                                                                                                              • Instruction ID: 90eb7d0104bc6e70cf7bff0339f57984e91e374e08c46cef097415fb0ac9ef6d
                                                                                                                                                              • Opcode Fuzzy Hash: 458227704650c7c7c09461148cfb2d83d35d3d8a81c21fbada31f57060679c5a
                                                                                                                                                              • Instruction Fuzzy Hash: 3D62FE76A90101AFCF09CF7CD590BDD77F2AB463A2F10D215E826EB754C62A8C4A8B54
                                                                                                                                                              Function 6D4DC170 Relevance: 5.1, APIs: 3, Instructions: 551COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: d8d10ea38290d0412693cb8bc17b600b290252435ff1406ac6c09d8140aad40c
                                                                                                                                                              • Instruction ID: 445483dcbe948afa6953d086d47be4edbb685bde6c9af7e3b9318bd1406b51a6
                                                                                                                                                              • Opcode Fuzzy Hash: d8d10ea38290d0412693cb8bc17b600b290252435ff1406ac6c09d8140aad40c
                                                                                                                                                              • Instruction Fuzzy Hash: 00025972A515118FDF09CD7CC4F5BEE37E2BB8A321F259619E521DB394C22A4D0A8B41
                                                                                                                                                              Function 6D4CEFA0 Relevance: 4.9, Strings: 3, Instructions: 1133COMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: .O)P$r`fe$r`fe
                                                                                                                                                              • API String ID: 0-4212609085
                                                                                                                                                              • Opcode ID: 9429bee8a94292c09fc35ef53a8f85f8b7ab1d660e33eb19c523cfe80cb5ce0c
                                                                                                                                                              • Instruction ID: 200fdb6e17cc1379c813661371e2b00abe1f8a951a238be2797cd02697581438
                                                                                                                                                              • Opcode Fuzzy Hash: 9429bee8a94292c09fc35ef53a8f85f8b7ab1d660e33eb19c523cfe80cb5ce0c
                                                                                                                                                              • Instruction Fuzzy Hash: 1982153AA565018FDF05CE7CD5D1BDD7BF2EB46360F25911AE811EB394C62E8C4A8B02
                                                                                                                                                              Function 6D4EED10 Relevance: 4.6, Strings: 3, Instructions: 872COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: []=/$vwv&$vwv&
                                                                                                                                                              • API String ID: 0-3587720153
                                                                                                                                                              • Opcode ID: 6c90fadf3be51541e184865b3bf1c523971f1a7221012835d51c41d132dea14a
                                                                                                                                                              • Instruction ID: f07baa4774eb01538fd03525f37b939f5712bf7718488a274ff354ce62eebdb0
                                                                                                                                                              • Opcode Fuzzy Hash: 6c90fadf3be51541e184865b3bf1c523971f1a7221012835d51c41d132dea14a
                                                                                                                                                              • Instruction Fuzzy Hash: 8D527932AA06119FCF05CE7CD4D5BDE7BF2BB46362F259219D811DB795D32A8C0A8B01
                                                                                                                                                              Function 6D4F263C Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              APIs
                                                                                                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6D4F2734
                                                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6D4F273E
                                                                                                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6D4F274B
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 3906539128-0
                                                                                                                                                              • Opcode ID: 8251d807fdd2223fe39da203c84c081a44044d04d067d328e7e0dcd92c4ff6bc
                                                                                                                                                              • Instruction ID: ac7ae37d5420dfe6d6baa40767826c1971f9349204a1487b17a68e0f3587926f
                                                                                                                                                              • Opcode Fuzzy Hash: 8251d807fdd2223fe39da203c84c081a44044d04d067d328e7e0dcd92c4ff6bc
                                                                                                                                                              • Instruction Fuzzy Hash: CA31B57490121D9BCF21DF65D988B9DBBB4BF48310F6041EAE41CA6260EB709F858F54
                                                                                                                                                              Function 6D4F2D22 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              APIs
                                                                                                                                                              • GetCurrentProcess.KERNEL32(?,?,6D4F2D21,?,00000001,?,?), ref: 6D4F2D44
                                                                                                                                                              • TerminateProcess.KERNEL32(00000000,?,6D4F2D21,?,00000001,?,?), ref: 6D4F2D4B
                                                                                                                                                              • ExitProcess.KERNEL32 ref: 6D4F2D5D
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 1703294689-0
                                                                                                                                                              • Opcode ID: 991b289c1c8501b0d90767715041bbc4fa6aad00ffafab9a3646cfb2225ad0a3
                                                                                                                                                              • Instruction ID: 0666bdaa83da8e6fea7afdb26b6c79829540c268462c8bd1b730b2df7e5221b9
                                                                                                                                                              • Opcode Fuzzy Hash: 991b289c1c8501b0d90767715041bbc4fa6aad00ffafab9a3646cfb2225ad0a3
                                                                                                                                                              • Instruction Fuzzy Hash: 68E0B631005289AFCF216F64D989F583B79EBC6241B114418FA29C6631CB75DD93DB91
                                                                                                                                                              Function 6D4EC570 Relevance: 4.5, Strings: 3, Instructions: 715COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: eZ-$eZ-$xuF
                                                                                                                                                              • API String ID: 0-613344219
                                                                                                                                                              • Opcode ID: ce58f309848696d3b9b11527fc23d1efeee2260bee98a7baf13f13cea92cc44b
                                                                                                                                                              • Instruction ID: 061a4bdb00ac6c9ee5fbc376a7f0d4eeffcf834bfa0f3446359879a91e0bcd7f
                                                                                                                                                              • Opcode Fuzzy Hash: ce58f309848696d3b9b11527fc23d1efeee2260bee98a7baf13f13cea92cc44b
                                                                                                                                                              • Instruction Fuzzy Hash: 85329836A505428FCF09CE7CC5E57DE3BE2BB573A2F219615C421EB784D62A4E0B8B41
                                                                                                                                                              Function 6D4D4840 Relevance: 4.4, Strings: 3, Instructions: 643COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: &Rm$@$5?$@$5?
                                                                                                                                                              • API String ID: 0-3230142386
                                                                                                                                                              • Opcode ID: cc38416d855c96e14432ce28c8ac9cf23aebc753475ced2f2231c53e51eb1f44
                                                                                                                                                              • Instruction ID: ef46da05f6b4a729f68ea6cb41f7142ecb903ecc0143eb7cee69e02677861f80
                                                                                                                                                              • Opcode Fuzzy Hash: cc38416d855c96e14432ce28c8ac9cf23aebc753475ced2f2231c53e51eb1f44
                                                                                                                                                              • Instruction Fuzzy Hash: C0226736A142518FDF06CE7CC4E5BEE3BF2EB4B360F219119D915DB399C62A4C0A8B51
                                                                                                                                                              Function 6D4DD770 Relevance: 4.0, Strings: 3, Instructions: 245COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: d%#-$lZk$lZk
                                                                                                                                                              • API String ID: 0-264090677
                                                                                                                                                              • Opcode ID: 0f89dd887c68166bf1ff5850412ae23b8d6ee4960ea59b8f7e74afea370fc694
                                                                                                                                                              • Instruction ID: 8d11f95f91a0df692f3e9769256ce3424023c206975f251888089dbf548f5236
                                                                                                                                                              • Opcode Fuzzy Hash: 0f89dd887c68166bf1ff5850412ae23b8d6ee4960ea59b8f7e74afea370fc694
                                                                                                                                                              • Instruction Fuzzy Hash: EF919C75E042098FCF45CEACD5A0BDE7BF2BB89320F218156E824A7350D3399D468F50
                                                                                                                                                              Function 6D4CFF80 Relevance: 3.6, Strings: 2, Instructions: 1065COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: Kt*/$[0#
                                                                                                                                                              • API String ID: 0-424502939
                                                                                                                                                              • Opcode ID: b300197f3bd19985a3e435f38a1ce11ffc4c68aae11c4cfffa4a49aae99b2d4b
                                                                                                                                                              • Instruction ID: f99212172c9369a1d7b5fd62333254597bfba93c00a259c530ba50790a3b628b
                                                                                                                                                              • Opcode Fuzzy Hash: b300197f3bd19985a3e435f38a1ce11ffc4c68aae11c4cfffa4a49aae99b2d4b
                                                                                                                                                              • Instruction Fuzzy Hash: 89723636A542458FCF09CE7CD4A4BDE7BF2AB86320F11D11AE411EB394C63A9C4ACB11
                                                                                                                                                              Function 6D4EC020 Relevance: 3.4, APIs: 2, Instructions: 397COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 3caa8ee78a9b758703d5e4d14ba94679fe4d9f65369fca14dbf8368d518adeaa
                                                                                                                                                              • Instruction ID: b3ce21bedd6f87526cb2f85463026570fdc0805017f2220cd75c9718e06a01e0
                                                                                                                                                              • Opcode Fuzzy Hash: 3caa8ee78a9b758703d5e4d14ba94679fe4d9f65369fca14dbf8368d518adeaa
                                                                                                                                                              • Instruction Fuzzy Hash: 48D12472A502119FCF04CE7CC895BDE7FF2BB4A3A5F149619C421EB790D32A9C4A8B51
                                                                                                                                                              Function 6D4ED9F0 Relevance: 3.2, Strings: 2, Instructions: 702COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: GyV$`t
                                                                                                                                                              • API String ID: 0-3857262959
                                                                                                                                                              • Opcode ID: ba1f47b6bec8e45233e43c91c5856bca7c9eabdc34110fde8305e9e7382327ce
                                                                                                                                                              • Instruction ID: b8fab51c865d7e33d81bb265f052219cb88d4884fb611b4d78d61407d4017dc4
                                                                                                                                                              • Opcode Fuzzy Hash: ba1f47b6bec8e45233e43c91c5856bca7c9eabdc34110fde8305e9e7382327ce
                                                                                                                                                              • Instruction Fuzzy Hash: D8324736A541119FCF05CEBCC5D5BDE7BF2BB863A2F249129D421DB395D32A8C0A8B01
                                                                                                                                                              Function 6D4DDAC0 Relevance: 3.2, Strings: 2, Instructions: 674COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: dyZt$u1j
                                                                                                                                                              • API String ID: 0-4284781672
                                                                                                                                                              • Opcode ID: ed63cf6becf7d0ee155c264789dd7c2f7d4075b693543a250bbde2cb92880736
                                                                                                                                                              • Instruction ID: 2ad1b592083ec0117723d51aa9a1cebd5e8bc2843c77c0931fc30835d327094c
                                                                                                                                                              • Opcode Fuzzy Hash: ed63cf6becf7d0ee155c264789dd7c2f7d4075b693543a250bbde2cb92880736
                                                                                                                                                              • Instruction Fuzzy Hash: D332C032A542058FCF45CEBCD5A4BDEBBF2BB86314F108629D411EB398D7399D0A8B51
                                                                                                                                                              Function 6D4D40A0 Relevance: 3.1, Strings: 2, Instructions: 558COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: G%F6$G%F6
                                                                                                                                                              • API String ID: 0-2097783536
                                                                                                                                                              • Opcode ID: e4d3e763b34765e9aeb270eab7cefedc5f0e5803d00016a4a3c7d2b7ec578b18
                                                                                                                                                              • Instruction ID: 65b799493184d658a6eefdf2d749b56d98c6bdd27e4d6de7e8d8f5e59ebe28f1
                                                                                                                                                              • Opcode Fuzzy Hash: e4d3e763b34765e9aeb270eab7cefedc5f0e5803d00016a4a3c7d2b7ec578b18
                                                                                                                                                              • Instruction Fuzzy Hash: 27021176A502418FCF45CF7CC9E4BDD7BF2AB4A3A4F209119E815E7784C6298C4ACB11
                                                                                                                                                              Function 6D4DF2F0 Relevance: 3.0, Strings: 2, Instructions: 534COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: q{r%$q{r%
                                                                                                                                                              • API String ID: 0-890641862
                                                                                                                                                              • Opcode ID: 021a8853165d8c0e9297fa72ae4cfb6cc1af5a4223456cded627e8befbd66a0d
                                                                                                                                                              • Instruction ID: 28e2f8d5cf2ba06f746eb2302f5fb3a5439726da8257757e5c8eff55b9c9c1b9
                                                                                                                                                              • Opcode Fuzzy Hash: 021a8853165d8c0e9297fa72ae4cfb6cc1af5a4223456cded627e8befbd66a0d
                                                                                                                                                              • Instruction Fuzzy Hash: 34026A72A561818FDF04CEBCE5E1BEE77F2AB46320F258215D821D7794C23A9D4ACB05
                                                                                                                                                              Function 6D4D56B0 Relevance: 3.0, Strings: 2, Instructions: 518COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: .n|$.n|
                                                                                                                                                              • API String ID: 0-574793741
                                                                                                                                                              • Opcode ID: 3b502d1a5abdf0cc6e59aaa3f49e7e0dfe7c327f330bc507047291c0a2a77ff3
                                                                                                                                                              • Instruction ID: 50ade6f928df009435122c329bf3bcbe3d3ee56c135995ab290afa450cfc9800
                                                                                                                                                              • Opcode Fuzzy Hash: 3b502d1a5abdf0cc6e59aaa3f49e7e0dfe7c327f330bc507047291c0a2a77ff3
                                                                                                                                                              • Instruction Fuzzy Hash: E7021176A541528FCF448E7CC4A57EE7BF2EB47321F21D219C421EB794DA2A4C0ACB25
                                                                                                                                                              Function 6D4D7E70 Relevance: 3.0, Strings: 2, Instructions: 481COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: }E?$}E?
                                                                                                                                                              • API String ID: 0-1074294154
                                                                                                                                                              • Opcode ID: b4dc9be65af8d093b48da8c9ce8e98f3300702c70bb4413502481eece1991631
                                                                                                                                                              • Instruction ID: c4ecefbe9e2611bd458cfadf1c8b5ac7fb3fc5dcdd983d6c4460afa0ed08478e
                                                                                                                                                              • Opcode Fuzzy Hash: b4dc9be65af8d093b48da8c9ce8e98f3300702c70bb4413502481eece1991631
                                                                                                                                                              • Instruction Fuzzy Hash: 3BF12932A541168FCF04CE7CD5E4BFE37F2AB82360F21A619D425D7794C62A8E4AC745
                                                                                                                                                              Function 6D4E7BE0 Relevance: 3.0, Strings: 2, Instructions: 468COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: 0!$bad array new length
                                                                                                                                                              • API String ID: 0-4148911383
                                                                                                                                                              • Opcode ID: c300111f6519d3a928f4dbdea632faa3fe12ec9ec63672df83071be18268ecd3
                                                                                                                                                              • Instruction ID: 7793c6db6d8d9715d29eaa3de683493894289097b44e6446bd47499c434e03b8
                                                                                                                                                              • Opcode Fuzzy Hash: c300111f6519d3a928f4dbdea632faa3fe12ec9ec63672df83071be18268ecd3
                                                                                                                                                              • Instruction Fuzzy Hash: D0F14732A44106AFCF05CE7CD685BEE77F2AB863E2F21D524C411D7755D63A8E0A8B42
                                                                                                                                                              Function 6D4D78A0 Relevance: 2.9, Strings: 2, Instructions: 438COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: r|WE$r|WE
                                                                                                                                                              • API String ID: 0-563362223
                                                                                                                                                              • Opcode ID: 69c4c1822ec786b3e49f6cbdfabf987b831470fdce6ffd7c588c761f5cb8d250
                                                                                                                                                              • Instruction ID: b4f0e6a1103bb04445ca371f62114ff0286c36fab15a4741f1981cfb03b4222b
                                                                                                                                                              • Opcode Fuzzy Hash: 69c4c1822ec786b3e49f6cbdfabf987b831470fdce6ffd7c588c761f5cb8d250
                                                                                                                                                              • Instruction Fuzzy Hash: E4D15832E585124FDF499D7CC5F97EE37E3AB43360F1196099522DB7D1C22A4D0A8B41
                                                                                                                                                              Function 6D4DFA40 Relevance: 2.9, Strings: 2, Instructions: 410COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: ?$nA
                                                                                                                                                              • API String ID: 0-2164505474
                                                                                                                                                              • Opcode ID: 0151ee7c4b9f32edc5f41c6a94015c6af0ddf3418304457b0211b7bba4d3bbbf
                                                                                                                                                              • Instruction ID: 8d256a3ea026cecd3a6f4e78d4c21df8c42113b35ecafec7139735b038f6b3b4
                                                                                                                                                              • Opcode Fuzzy Hash: 0151ee7c4b9f32edc5f41c6a94015c6af0ddf3418304457b0211b7bba4d3bbbf
                                                                                                                                                              • Instruction Fuzzy Hash: 45E1F076A152458FCF45CE7CD5A1BDEBBF2BB4A310F11811AD821EB354C2369C068F66
                                                                                                                                                              Function 6D4E8FF0 Relevance: 2.9, Strings: 2, Instructions: 374COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: [:$a$[:$a
                                                                                                                                                              • API String ID: 0-817206409
                                                                                                                                                              • Opcode ID: 687c7f186ea7fd9581d6a237be4533ffbb4262cb1be776210bc65efebb2d1056
                                                                                                                                                              • Instruction ID: fffd078caecc02be45439d19fb35474785aaa064daa5ba081f3ac75b8c42c75c
                                                                                                                                                              • Opcode Fuzzy Hash: 687c7f186ea7fd9581d6a237be4533ffbb4262cb1be776210bc65efebb2d1056
                                                                                                                                                              • Instruction Fuzzy Hash: 71C1E176A542059FDF08CF6CC495BDE7BF2AB463A2F109519D810E73D4C33A8D4A8B51
                                                                                                                                                              Function 6D4C64B0 Relevance: 2.9, Strings: 2, Instructions: 352COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: -$-
                                                                                                                                                              • API String ID: 0-921942269
                                                                                                                                                              • Opcode ID: f3cbd4f7d2be48088683b0f7cbf8517a3d4487909f5e19866a8aa8ee0717c7ac
                                                                                                                                                              • Instruction ID: 33dc68c187b4ba4e9dc7e7c8d1a8117a2d6309518a46bbfeb2e96cc3e62022f1
                                                                                                                                                              • Opcode Fuzzy Hash: f3cbd4f7d2be48088683b0f7cbf8517a3d4487909f5e19866a8aa8ee0717c7ac
                                                                                                                                                              • Instruction Fuzzy Hash: ECC1E73AA501018FDF05CF7CC9917FD7BF2A746320F24D619D424E77A8C62A9D4A8B86
                                                                                                                                                              Function 6D4D8910 Relevance: 2.8, Strings: 2, Instructions: 344COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: F/U$F/U
                                                                                                                                                              • API String ID: 0-3161636902
                                                                                                                                                              • Opcode ID: db54f46b38aa79cc9c45b2df07cadf622acf40d575e9d968274250eb43c86def
                                                                                                                                                              • Instruction ID: 354cd200d393880ea1c0f262ba37e1ee900c443bddcaa8541639c6444b6f9810
                                                                                                                                                              • Opcode Fuzzy Hash: db54f46b38aa79cc9c45b2df07cadf622acf40d575e9d968274250eb43c86def
                                                                                                                                                              • Instruction Fuzzy Hash: D4C1E175A502059FCF49DE7CD4A5BEE7BF1BB4B320F21A619D411AB394C23A9C06CB11
                                                                                                                                                              Function 6D4E2790 Relevance: 2.8, Strings: 1, Instructions: 1575COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: ^H?|
                                                                                                                                                              • API String ID: 0-1970433246
                                                                                                                                                              • Opcode ID: cd01b038f792f1956bb454ab26e75f5e354a59c6e246f8ddbd2b799a35f4f035
                                                                                                                                                              • Instruction ID: d284dadd80a8549bdfcfd3213fd60d6ee344541e75c856f8eca9d1e4283cbaf3
                                                                                                                                                              • Opcode Fuzzy Hash: cd01b038f792f1956bb454ab26e75f5e354a59c6e246f8ddbd2b799a35f4f035
                                                                                                                                                              • Instruction Fuzzy Hash: DBB2F736A552819FCF06CEBCC6D9BDD77F2BB46392F209915D411DB3A4C62A8D0ACB01
                                                                                                                                                              Function 6D4DEB70 Relevance: 2.8, Strings: 2, Instructions: 290COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: {t<$}*R
                                                                                                                                                              • API String ID: 0-858880832
                                                                                                                                                              • Opcode ID: 88d077305edcae41a890799255defb8909c1f8942ec310015ff6e2fe54a487db
                                                                                                                                                              • Instruction ID: 317487d8a965ee1e8b9b3fa2202fba85f74f6a16ce464b342c40422ac39a2f8e
                                                                                                                                                              • Opcode Fuzzy Hash: 88d077305edcae41a890799255defb8909c1f8942ec310015ff6e2fe54a487db
                                                                                                                                                              • Instruction Fuzzy Hash: 5FA19775A142099FCF48CFBCD9E1AEEBBF1BB4A310F104129E855EB350C635AC068B52
                                                                                                                                                              Function 6D4E0850 Relevance: 2.0, Strings: 1, Instructions: 717COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: .x+G
                                                                                                                                                              • API String ID: 0-2776831907
                                                                                                                                                              • Opcode ID: 5703963c851b57a7ad30338be761b98da9393487eb5f35a81f83373bb7d053a9
                                                                                                                                                              • Instruction ID: 460133195c56f903cf1af8f8a6a9ee348bcfb0b0762deeebf04e8851d6104bbe
                                                                                                                                                              • Opcode Fuzzy Hash: 5703963c851b57a7ad30338be761b98da9393487eb5f35a81f83373bb7d053a9
                                                                                                                                                              • Instruction Fuzzy Hash: 16321636A60105AFCF09DEBCD8D0BDD77F2BB5A3A2F108519D821EB754C7269C0A8B05
                                                                                                                                                              Function 6D4E9510 Relevance: 1.9, Strings: 1, Instructions: 656COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: *T-
                                                                                                                                                              • API String ID: 0-2395769403
                                                                                                                                                              • Opcode ID: 75e5eec9a7dc775d45855a568c2f8793647359c569abd04ee87d25913300a898
                                                                                                                                                              • Instruction ID: 60c537acc3d7bfb45c1532c9cb5c1a3517a99664b2ac2caa9b5bf295d48b6199
                                                                                                                                                              • Opcode Fuzzy Hash: 75e5eec9a7dc775d45855a568c2f8793647359c569abd04ee87d25913300a898
                                                                                                                                                              • Instruction Fuzzy Hash: 3C22DE32A24151AFCF09CE7CD5D6BDD37E2BB463A2F149219E811DB791D72A8C0ACB01
                                                                                                                                                              Function 6D4DB990 Relevance: 1.8, Strings: 1, Instructions: 571COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: =^r
                                                                                                                                                              • API String ID: 0-2970007195
                                                                                                                                                              • Opcode ID: e648a02b9a7b5277ef426d34b8787d54da69ddcff82574872a1ffe2dc501f614
                                                                                                                                                              • Instruction ID: e03fd0b2e18fcfa23722a6b287251ef6ad5061bb0de253f4a028eabea9ce6124
                                                                                                                                                              • Opcode Fuzzy Hash: e648a02b9a7b5277ef426d34b8787d54da69ddcff82574872a1ffe2dc501f614
                                                                                                                                                              • Instruction Fuzzy Hash: 12120636A541028FDF45CE7CC6E5BDE3BF2EB4A364F208515D821DB794C23A8E0A8B51
                                                                                                                                                              Function 6D4D9AF0 Relevance: 1.8, Strings: 1, Instructions: 549COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: x 9?
                                                                                                                                                              • API String ID: 0-257995016
                                                                                                                                                              • Opcode ID: b81a8bc77a99a48046c8095b3532195e21d6bb929268cdc50b107d75e4234794
                                                                                                                                                              • Instruction ID: 99d0c8b8b2189a2d33dabcbb06ef06a4a5e7d2e1c19a25059f6fa07a62e632f6
                                                                                                                                                              • Opcode Fuzzy Hash: b81a8bc77a99a48046c8095b3532195e21d6bb929268cdc50b107d75e4234794
                                                                                                                                                              • Instruction Fuzzy Hash: 6002E372A441018FDF49DE6CC4B6BDE77E2AF5B324F219619C421EB394C32B4C4A8B51
                                                                                                                                                              Function 6D4DE440 Relevance: 1.8, Strings: 1, Instructions: 540COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: 8]mz
                                                                                                                                                              • API String ID: 0-272383865
                                                                                                                                                              • Opcode ID: 2f1ecff934e797f166ba1e6589c3213e4a1e4ab252ec3740049a725d566f6828
                                                                                                                                                              • Instruction ID: af45938ec8827b0ccc009a4ef394222509372d4c499ac48e2f55973269f091c5
                                                                                                                                                              • Opcode Fuzzy Hash: 2f1ecff934e797f166ba1e6589c3213e4a1e4ab252ec3740049a725d566f6828
                                                                                                                                                              • Instruction Fuzzy Hash: AC023732A506028FDF05CE7CD5F5BDEB7E2AB47365F219529C461DB790C22A9D0A8B10
                                                                                                                                                              Function 6D4F0318 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              APIs
                                                                                                                                                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6D4F032E
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: FeaturePresentProcessor
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 2325560087-0
                                                                                                                                                              • Opcode ID: 21b77d871135a994d65e800a80b749085fca1c998d629dd3c4d05de039f8e442
                                                                                                                                                              • Instruction ID: 0c1468e3bd3521f991da997fc758766fe7dd160eb278c5e94130fd7bc639bc95
                                                                                                                                                              • Opcode Fuzzy Hash: 21b77d871135a994d65e800a80b749085fca1c998d629dd3c4d05de039f8e442
                                                                                                                                                              • Instruction Fuzzy Hash: E35158B1A062068BEF15CF55C681BAEBBF0FBC9310F21856AD815EB750D3B49D81CB61
                                                                                                                                                              Function 6D4F4420 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 247a2a87b71334579f24d6931f77e34b2b68d60ba493685f2ca82e2827a5c82f
                                                                                                                                                              • Instruction ID: dc3aba3cd33c665513d234412f2005e147076280de081c2ccd955a6cebc80ff5
                                                                                                                                                              • Opcode Fuzzy Hash: 247a2a87b71334579f24d6931f77e34b2b68d60ba493685f2ca82e2827a5c82f
                                                                                                                                                              • Instruction Fuzzy Hash: A841B471804219AEDB10DF69CD88EAABBB8EF89344F1542DDE51DE3220DA359E858F50
                                                                                                                                                              Function 6D4EE370 Relevance: .7, Instructions: 703COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: f0e2ad4f209d63aefb56d3425dcfd1368cd5b2c764d0403efb3ea4950286dedc
                                                                                                                                                              • Instruction ID: 044612746dcc41601384574fc075c00174c7650ccf5b1a31de7e298f832e1ec4
                                                                                                                                                              • Opcode Fuzzy Hash: f0e2ad4f209d63aefb56d3425dcfd1368cd5b2c764d0403efb3ea4950286dedc
                                                                                                                                                              • Instruction Fuzzy Hash: 2C324676A50101AFCF09CE7CE5D4BDD77F3AB463A6F249125E821DB390D62A9D0ACB01
                                                                                                                                                              Function 6D4E6FA0 Relevance: .6, Instructions: 610COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: c74b4b8e246154ccaf55f8e18ea95c7b4ef686d5873b9b2881cb0bab73b1ffa8
                                                                                                                                                              • Instruction ID: f62327ae9a9274026424af27637faabb4ae98d3e93b73142b93f5e9b9b138134
                                                                                                                                                              • Opcode Fuzzy Hash: c74b4b8e246154ccaf55f8e18ea95c7b4ef686d5873b9b2881cb0bab73b1ffa8
                                                                                                                                                              • Instruction Fuzzy Hash: A5121432E181019FCF05CE7CC981BED7BE2BB463A2F14951AD811E7756D32A8D4ACB51
                                                                                                                                                              Function 6D4D2BB0 Relevance: .5, Instructions: 506COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 515bdb8af844d09eda8d77bd39def57a9cf4cde1cc3ebb34b1043531d93585a9
                                                                                                                                                              • Instruction ID: 8a70a76a816cdaac769dd508b632546f6ac496fafe521b760bae318cae75a965
                                                                                                                                                              • Opcode Fuzzy Hash: 515bdb8af844d09eda8d77bd39def57a9cf4cde1cc3ebb34b1043531d93585a9
                                                                                                                                                              • Instruction Fuzzy Hash: 34F15B32A541428FDF89DD7CC5E57EE37E2AB53320F21D619C421DB798CA2A8D0A8B51
                                                                                                                                                              Function 6D4D50C0 Relevance: .4, Instructions: 433COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: a7f5da5e8ed990bd03845f61d747784e3c0f42db5980e5ab964b04b8afe6b28f
                                                                                                                                                              • Instruction ID: d3889479cdf0e68a27e194bbcb9f0a10162a188c3a545dbc29f0b14933dc1ec9
                                                                                                                                                              • Opcode Fuzzy Hash: a7f5da5e8ed990bd03845f61d747784e3c0f42db5980e5ab964b04b8afe6b28f
                                                                                                                                                              • Instruction Fuzzy Hash: 4AE1E136A502028FCF45CE7CC5A5BEE77E2EB47324F249515C511EB799CA2A8E0ACF01
                                                                                                                                                              Function 6D4E21C0 Relevance: .4, Instructions: 427COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: a8171e2fb905f76ff621a90557d5a01e49aa3142705c10055e40827b358ea919
                                                                                                                                                              • Instruction ID: efb14a6ae1d87e43b7880c6593b64a994380526ba56efd769d3503c74f665b9f
                                                                                                                                                              • Opcode Fuzzy Hash: a8171e2fb905f76ff621a90557d5a01e49aa3142705c10055e40827b358ea919
                                                                                                                                                              • Instruction Fuzzy Hash: 07D17C76E511175FDF09CE7CC5D57EF37E2A7423A2F208219C821DB394CA2A4E0A8B41
                                                                                                                                                              Function 6D4ECF00 Relevance: .4, Instructions: 399COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: f67f898fc5109c3ed6950a5f3af7e1b6ae4be9c2ac0a91dd4333c635ed7b718f
                                                                                                                                                              • Instruction ID: bc8a0f3f88e709e3a761c210701b4d9d92dfb1d8c69ca922beafe70a514e3e5d
                                                                                                                                                              • Opcode Fuzzy Hash: f67f898fc5109c3ed6950a5f3af7e1b6ae4be9c2ac0a91dd4333c635ed7b718f
                                                                                                                                                              • Instruction Fuzzy Hash: E1E1C076A002069FCF04CE6CD580BDEBBF2ABCA392F218115E815EB350D73A9D068B11
                                                                                                                                                              Function 6D4D3670 Relevance: .4, Instructions: 392COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 01d0f13e6ab8b06f6a50d35764d54be776d52d45357a07f5b9273de56b9a4399
                                                                                                                                                              • Instruction ID: e890de87cd008c00b41128307e590eb898fbdc5049a74a41f12a79a1395a7916
                                                                                                                                                              • Opcode Fuzzy Hash: 01d0f13e6ab8b06f6a50d35764d54be776d52d45357a07f5b9273de56b9a4399
                                                                                                                                                              • Instruction Fuzzy Hash: 88D11676A541068FDF09CE7CC5A9BED77F2AB86360F20D116D421D7398C62B9E0A8B11
                                                                                                                                                              Function 6D4D8DB0 Relevance: .4, Instructions: 381COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 7005444b84701db5c898262109adcad70715d3d6a280e100506293f9d06fe575
                                                                                                                                                              • Instruction ID: bffa089184616b78763e526ee70579bbfe63167f8d9bc6feb40c2a9672bc92ef
                                                                                                                                                              • Opcode Fuzzy Hash: 7005444b84701db5c898262109adcad70715d3d6a280e100506293f9d06fe575
                                                                                                                                                              • Instruction Fuzzy Hash: 06D12536A542058FCF44CEBCD5A4BDD7BF2BB4A320F249519E811E7398D23A8D4ACB41
                                                                                                                                                              Function 6D4E56E0 Relevance: .4, Instructions: 374COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 563eae2d3f5a9094bcc1db58020cb6b19d01638e8bff154fab0c03c036ac4821
                                                                                                                                                              • Instruction ID: a1411a4aa3e1eea7501f125550ac21074545da7f3a0c895901cd9d13ed994958
                                                                                                                                                              • Opcode Fuzzy Hash: 563eae2d3f5a9094bcc1db58020cb6b19d01638e8bff154fab0c03c036ac4821
                                                                                                                                                              • Instruction Fuzzy Hash: D4C13536A541169FCF08CE7CC5D5BEE37F2BB463A1F219219C821DB794D22A8D0ACB51
                                                                                                                                                              Function 6D4DA240 Relevance: .4, Instructions: 352COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 1aa61bbab7119e2e9617b20bafec3c968cdaec9c20d1c141f58527fc1026dae3
                                                                                                                                                              • Instruction ID: 59931972bc59576a206694137ad9e2db075b9bd7f530787d6d04306b9c8e9688
                                                                                                                                                              • Opcode Fuzzy Hash: 1aa61bbab7119e2e9617b20bafec3c968cdaec9c20d1c141f58527fc1026dae3
                                                                                                                                                              • Instruction Fuzzy Hash: A7C12136E501028FCF05CEACC5A6FEE37F2AF56314F219115C821EB755C22A8E0A8F12
                                                                                                                                                              Function 6D4D0DE0 Relevance: .3, Instructions: 328COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: febb423e5a7e0234d1aadf507a182ade59cbeed54c346c4e3e9f08cc9e36f08c
                                                                                                                                                              • Instruction ID: b5a0f3bcd6c1e25c07d3542bdf72d0a08f0d4de4585bbd0d3cbb2aa81964ff91
                                                                                                                                                              • Opcode Fuzzy Hash: febb423e5a7e0234d1aadf507a182ade59cbeed54c346c4e3e9f08cc9e36f08c
                                                                                                                                                              • Instruction Fuzzy Hash: F2B14B32E541068FCF49CDBCC5E5BEE3BF2AB423A0F20C616D911D7798C62A8E468745
                                                                                                                                                              Function 6D4D9690 Relevance: .3, Instructions: 317COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: fe52986c0f9bffd387456b5786c7fba3a8680178f891cac2dcf12ec47a42a46a
                                                                                                                                                              • Instruction ID: 88c3678cea0d4e4998e4f2acf96e7ba22e81d4a14ad398a46e6ad03e6e1d3d5f
                                                                                                                                                              • Opcode Fuzzy Hash: fe52986c0f9bffd387456b5786c7fba3a8680178f891cac2dcf12ec47a42a46a
                                                                                                                                                              • Instruction Fuzzy Hash: 4DA13537A501568FCF49CE7CD5B8BEE3BF2AB42320F259615C421DB794D22B8D0A8752
                                                                                                                                                              Function 6D4BE610 Relevance: .3, Instructions: 299COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: c8ed5458698f95981f593100f735154c18955cf93dce05a51b9f0763f9422140
                                                                                                                                                              • Instruction ID: 69b341f3d78ac3c02bec9b32741f5070b8d20f37399933ebb3b99c3b03dd6d06
                                                                                                                                                              • Opcode Fuzzy Hash: c8ed5458698f95981f593100f735154c18955cf93dce05a51b9f0763f9422140
                                                                                                                                                              • Instruction Fuzzy Hash: B5A13632A541518FDF05CE7CC4D0BEE7BF2ABA6320F24D225D421E7394C63A9D4A8B61
                                                                                                                                                              Function 6D4D8520 Relevance: .3, Instructions: 286COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 55d68a935d73aa3a1a4f01d06da0c259eb4f61c983a6b0bb764a0b0438ec2252
                                                                                                                                                              • Instruction ID: 3ed80d3816720a1ec1685206f194dc7273d3341bcdb2689b215a70e9b1bdfbd5
                                                                                                                                                              • Opcode Fuzzy Hash: 55d68a935d73aa3a1a4f01d06da0c259eb4f61c983a6b0bb764a0b0438ec2252
                                                                                                                                                              • Instruction Fuzzy Hash: D8A1E372A541158FCF44CE7CE9A4BEE7BF2BB4A324F10A219D861E7344D32A9D05CB45
                                                                                                                                                              Function 6D4D32A0 Relevance: .3, Instructions: 278COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: a632671e7b6010589ee95426f1e082652637fd36f513654c374fe46d75d9743c
                                                                                                                                                              • Instruction ID: 379a3661cf8e25476e1c1102e9f1f9d23cf5f77fcf3135c8d896f5be8a679d72
                                                                                                                                                              • Opcode Fuzzy Hash: a632671e7b6010589ee95426f1e082652637fd36f513654c374fe46d75d9743c
                                                                                                                                                              • Instruction Fuzzy Hash: D4910032A541428FCF49CEBCC9E9BEE3BF2FB46350F159519C411DB790CA2A8D0A8B51
                                                                                                                                                              Function 6D4E01B0 Relevance: .3, Instructions: 274COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: b4bef50f890c76b8ab1b603bec9dff84984c40c70e9b6ea8bd8e3aada73d02ae
                                                                                                                                                              • Instruction ID: 8262e09def366f9028252fd7d77776e38ed3b45aa54194cb5ad476c071a70838
                                                                                                                                                              • Opcode Fuzzy Hash: b4bef50f890c76b8ab1b603bec9dff84984c40c70e9b6ea8bd8e3aada73d02ae
                                                                                                                                                              • Instruction Fuzzy Hash: 36914C32A541069FCF05CEBCD4D5BEE37F2AB47362F218219C535E7394CA298D4A8791
                                                                                                                                                              Function 6D4E7840 Relevance: .3, Instructions: 263COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 97492c80c684a02983ba0b10d0a2081b85c91f3c2637153e124763f1a0598308
                                                                                                                                                              • Instruction ID: c8f4f399b172b440bb82f1f21be73591cb9e6ddd36e00941f83440350686fda0
                                                                                                                                                              • Opcode Fuzzy Hash: 97492c80c684a02983ba0b10d0a2081b85c91f3c2637153e124763f1a0598308
                                                                                                                                                              • Instruction Fuzzy Hash: 23812632E582069FDF05CA7CC891BEE37F2AB473B6F11D219C521DB691D62E4D4A8B40
                                                                                                                                                              Function 6D4D92F0 Relevance: .3, Instructions: 260COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 3fe31c5021eb591e22e57779c1f79811b40b9d8a87f75b1e074cd4729d1ed0e1
                                                                                                                                                              • Instruction ID: 1632c396c33a4df1a9c145d5c57a3b39ff62dc60978f70ee6b97516ba3564a84
                                                                                                                                                              • Opcode Fuzzy Hash: 3fe31c5021eb591e22e57779c1f79811b40b9d8a87f75b1e074cd4729d1ed0e1
                                                                                                                                                              • Instruction Fuzzy Hash: 36811672A441168FCF458E7CD5F5BEE3BE2A752360F148619C832DB7D4C22B8D4A8B81
                                                                                                                                                              Function 6D4D1280 Relevance: .2, Instructions: 237COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 85f1e305b85e0c443652b370d887e9ce93bcb7b10ba38c378e2d63040782b72e
                                                                                                                                                              • Instruction ID: 555523d3b17654e05fdd7ce798d2ca888a1fd6337600069bec43181718cac689
                                                                                                                                                              • Opcode Fuzzy Hash: 85f1e305b85e0c443652b370d887e9ce93bcb7b10ba38c378e2d63040782b72e
                                                                                                                                                              • Instruction Fuzzy Hash: 46811072E946058FCF40CEBCC4A5BDE7BF1BB4A320F118119D825EB384C72A9D0A8B51
                                                                                                                                                              Function 6D4D3C10 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 2ec55fe04536a03ea8f4b4f1cf010f0257b0698a957325f7f27462d9c73e308d
                                                                                                                                                              • Instruction ID: 79c7ec071457711e866d54b87eb271e247064f4cb928d4013635f3701d29675c
                                                                                                                                                              • Opcode Fuzzy Hash: 2ec55fe04536a03ea8f4b4f1cf010f0257b0698a957325f7f27462d9c73e308d
                                                                                                                                                              • Instruction Fuzzy Hash: C871F236A541498FCF09CEBCD5A8BED7BF1EB4A320F10C119E415E7784C6369D0A8B15
                                                                                                                                                              Function 6D4E1EC0 Relevance: .2, Instructions: 214COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: eae292ccf5261d840c0061090d053989197947f80cd8b0f72c2a4bbb51735f43
                                                                                                                                                              • Instruction ID: 4f35b1f308c86425f617020b132500041876da59c338e59453342a34e28263d1
                                                                                                                                                              • Opcode Fuzzy Hash: eae292ccf5261d840c0061090d053989197947f80cd8b0f72c2a4bbb51735f43
                                                                                                                                                              • Instruction Fuzzy Hash: 6B6158366501069FCF05CE7CD9D5BEEB7F2BB82392F208515C521D7784C6268E0AC696
                                                                                                                                                              Function 6D4E0560 Relevance: .2, Instructions: 207COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 48c4bbd72f3e168e8f65f70da26e1b4d6ed6b9a37f2e0b6589a4dbd21518441b
                                                                                                                                                              • Instruction ID: a86617ec95aedd101209ca7fbbb814b9471ebc208aea597b9ff02dab42bb6d5a
                                                                                                                                                              • Opcode Fuzzy Hash: 48c4bbd72f3e168e8f65f70da26e1b4d6ed6b9a37f2e0b6589a4dbd21518441b
                                                                                                                                                              • Instruction Fuzzy Hash: 0871EC76E1520A9FCF09CEBDC591BDDBBF1BB4A392F148106D424EB340CA369D0A8B55
                                                                                                                                                              Function 6D4ED460 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 67610349e6ac1d39f9eb4df5dcfe19bce7b3f9d4c17c0d484c7d819217765e12
                                                                                                                                                              • Instruction ID: 60a1581a2c10bbc6f787d05e0215d74f981ed390e7a380313aad299bf02ea13c
                                                                                                                                                              • Opcode Fuzzy Hash: 67610349e6ac1d39f9eb4df5dcfe19bce7b3f9d4c17c0d484c7d819217765e12
                                                                                                                                                              • Instruction Fuzzy Hash: FC510632A5420A9FDF04DE7CD584BEE37F1ABC3396F158115C429EB394D32A8E0A8751
                                                                                                                                                              Function 6D4DF0C0 Relevance: .2, Instructions: 164COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 4ffffe8f67207a9aa050f62d0b014f3b6b4aca39c830630224a44ee9e7e0be5b
                                                                                                                                                              • Instruction ID: 7ac40a40a8ef39c5e610533b27f28a92b696ea8e0a519dfef150c8837820fba8
                                                                                                                                                              • Opcode Fuzzy Hash: 4ffffe8f67207a9aa050f62d0b014f3b6b4aca39c830630224a44ee9e7e0be5b
                                                                                                                                                              • Instruction Fuzzy Hash: 8051FF75E252559FCF44CEBCD5A5ADEBBF1BB4A320F208219E820EB384C6365D068B15
                                                                                                                                                              Function 6D4F3F61 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 1244d2490e722d8e2d4b08a687ba54e345a4788b81df14d6debf1e67a5b6da9d
                                                                                                                                                              • Instruction ID: f0ad0d3b6c644b8447d06ea897764feebd721d98f6d36474be3e0385ec967922
                                                                                                                                                              • Opcode Fuzzy Hash: 1244d2490e722d8e2d4b08a687ba54e345a4788b81df14d6debf1e67a5b6da9d
                                                                                                                                                              • Instruction Fuzzy Hash: F2E08C32A12228EBCB14CB88C944E9AF3FCEB84B44B1540AAF611D3220C270DE01CBE0
                                                                                                                                                              Function 6D4F6640 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 2005 6d4f6640-6d4f6654 2006 6d4f6656-6d4f665b 2005->2006 2007 6d4f66c2-6d4f66ca 2005->2007 2006->2007 2010 6d4f665d-6d4f6662 2006->2010 2008 6d4f66cc-6d4f66cf 2007->2008 2009 6d4f6711-6d4f6729 call 6d4f67b1 2007->2009 2008->2009 2011 6d4f66d1-6d4f670e call 6d4f3f27 * 4 2008->2011 2018 6d4f672c-6d4f6733 2009->2018 2010->2007 2013 6d4f6664-6d4f6667 2010->2013 2011->2009 2013->2007 2016 6d4f6669-6d4f6671 2013->2016 2019 6d4f668b-6d4f6693 2016->2019 2020 6d4f6673-6d4f6676 2016->2020 2021 6d4f6735-6d4f6739 2018->2021 2022 6d4f6752-6d4f6756 2018->2022 2025 6d4f66ad-6d4f66c1 call 6d4f3f27 * 2 2019->2025 2026 6d4f6695-6d4f6698 2019->2026 2020->2019 2023 6d4f6678-6d4f668a call 6d4f3f27 call 6d4f857a 2020->2023 2027 6d4f674f 2021->2027 2028 6d4f673b-6d4f673e 2021->2028 2032 6d4f676e-6d4f677a 2022->2032 2033 6d4f6758-6d4f675d 2022->2033 2023->2019 2025->2007 2026->2025 2031 6d4f669a-6d4f66ac call 6d4f3f27 call 6d4f8678 2026->2031 2027->2022 2028->2027 2036 6d4f6740-6d4f674e call 6d4f3f27 * 2 2028->2036 2031->2025 2032->2018 2035 6d4f677c-6d4f6787 call 6d4f3f27 2032->2035 2040 6d4f675f-6d4f6762 2033->2040 2041 6d4f676b 2033->2041 2036->2027 2040->2041 2048 6d4f6764-6d4f676a call 6d4f3f27 2040->2048 2041->2032 2048->2041
                                                                                                                                                              APIs
                                                                                                                                                              • ___free_lconv_mon.LIBCMT ref: 6D4F6684
                                                                                                                                                                • Part of subcall function 6D4F857A: _free.LIBCMT ref: 6D4F8597
                                                                                                                                                                • Part of subcall function 6D4F857A: _free.LIBCMT ref: 6D4F85A9
                                                                                                                                                                • Part of subcall function 6D4F857A: _free.LIBCMT ref: 6D4F85BB
                                                                                                                                                                • Part of subcall function 6D4F857A: _free.LIBCMT ref: 6D4F85CD
                                                                                                                                                                • Part of subcall function 6D4F857A: _free.LIBCMT ref: 6D4F85DF
                                                                                                                                                                • Part of subcall function 6D4F857A: _free.LIBCMT ref: 6D4F85F1
                                                                                                                                                                • Part of subcall function 6D4F857A: _free.LIBCMT ref: 6D4F8603
                                                                                                                                                                • Part of subcall function 6D4F857A: _free.LIBCMT ref: 6D4F8615
                                                                                                                                                                • Part of subcall function 6D4F857A: _free.LIBCMT ref: 6D4F8627
                                                                                                                                                                • Part of subcall function 6D4F857A: _free.LIBCMT ref: 6D4F8639
                                                                                                                                                                • Part of subcall function 6D4F857A: _free.LIBCMT ref: 6D4F864B
                                                                                                                                                                • Part of subcall function 6D4F857A: _free.LIBCMT ref: 6D4F865D
                                                                                                                                                                • Part of subcall function 6D4F857A: _free.LIBCMT ref: 6D4F866F
                                                                                                                                                              • _free.LIBCMT ref: 6D4F6679
                                                                                                                                                                • Part of subcall function 6D4F3F27: HeapFree.KERNEL32(00000000,00000000,?,6D4F3439), ref: 6D4F3F3D
                                                                                                                                                                • Part of subcall function 6D4F3F27: GetLastError.KERNEL32(?,?,6D4F3439), ref: 6D4F3F4F
                                                                                                                                                              • _free.LIBCMT ref: 6D4F669B
                                                                                                                                                              • _free.LIBCMT ref: 6D4F66B0
                                                                                                                                                              • _free.LIBCMT ref: 6D4F66BB
                                                                                                                                                              • _free.LIBCMT ref: 6D4F66DD
                                                                                                                                                              • _free.LIBCMT ref: 6D4F66F0
                                                                                                                                                              • _free.LIBCMT ref: 6D4F66FE
                                                                                                                                                              • _free.LIBCMT ref: 6D4F6709
                                                                                                                                                              • _free.LIBCMT ref: 6D4F6741
                                                                                                                                                              • _free.LIBCMT ref: 6D4F6748
                                                                                                                                                              • _free.LIBCMT ref: 6D4F6765
                                                                                                                                                              • _free.LIBCMT ref: 6D4F677D
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 161543041-0
                                                                                                                                                              • Opcode ID: 0a3e034691ade8f84c23fe1a789a6b2a0aaf07ae949d5d3cf3d704b556f47d26
                                                                                                                                                              • Instruction ID: c7033d51c859392c52780d49c4ae7223d6f428ad0026b8ccb250cd2014a10f08
                                                                                                                                                              • Opcode Fuzzy Hash: 0a3e034691ade8f84c23fe1a789a6b2a0aaf07ae949d5d3cf3d704b556f47d26
                                                                                                                                                              • Instruction Fuzzy Hash: 8B315931608602DFEB11DB34D848F6A77F8EF81315F214829E5A8D72B1DF31EC468AA1
                                                                                                                                                              Function 6D4F3AA3 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 2062 6d4f3aa3-6d4f3ab6 2063 6d4f3ab8-6d4f3ac1 call 6d4f3f27 2062->2063 2064 6d4f3ac2-6d4f3b6f call 6d4f3f27 * 9 call 6d4f38cf call 6d4f393a 2062->2064 2063->2064
                                                                                                                                                              APIs
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 776569668-0
                                                                                                                                                              • Opcode ID: 6e9706b3e773f39cf943460c46055bbe1a103a7d8e559edcfbafed1eb44c71f3
                                                                                                                                                              • Instruction ID: 72e1da7f0536fa15c2ba3ed71a2f7f25109d6f77473884dedd19b14573b6c813
                                                                                                                                                              • Opcode Fuzzy Hash: 6e9706b3e773f39cf943460c46055bbe1a103a7d8e559edcfbafed1eb44c71f3
                                                                                                                                                              • Instruction Fuzzy Hash: 8421B676904108EFCB01DF94D884EDE7BB8EF48248B0151AAF615DB531DB31EA49CB91
                                                                                                                                                              Function 6D4F5568 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 2471 6d4f5568-6d4f5574 2472 6d4f561b-6d4f561e 2471->2472 2473 6d4f5579-6d4f558a 2472->2473 2474 6d4f5624 2472->2474 2475 6d4f558c-6d4f558f 2473->2475 2476 6d4f5597-6d4f55b0 LoadLibraryExW 2473->2476 2477 6d4f5626-6d4f562a 2474->2477 2478 6d4f5618 2475->2478 2479 6d4f5595 2475->2479 2480 6d4f5602-6d4f560b 2476->2480 2481 6d4f55b2-6d4f55bb GetLastError 2476->2481 2478->2472 2483 6d4f5614-6d4f5616 2479->2483 2482 6d4f560d-6d4f560e FreeLibrary 2480->2482 2480->2483 2484 6d4f55bd-6d4f55cf call 6d4f3843 2481->2484 2485 6d4f55f2 2481->2485 2482->2483 2483->2478 2487 6d4f562b-6d4f562d 2483->2487 2484->2485 2491 6d4f55d1-6d4f55e3 call 6d4f3843 2484->2491 2486 6d4f55f4-6d4f55f6 2485->2486 2486->2480 2489 6d4f55f8-6d4f5600 2486->2489 2487->2477 2489->2478 2491->2485 2494 6d4f55e5-6d4f55f0 LoadLibraryExW 2491->2494 2494->2486
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: 94Om$api-ms-$ext-ms-
                                                                                                                                                              • API String ID: 0-3364086374
                                                                                                                                                              • Opcode ID: dbef93ccb0320f327c870f6dab26a282edace8ba397e5ae3707c65803c9f6d19
                                                                                                                                                              • Instruction ID: 29d78fdb59405bf9198941a4b3b48c2f4cbc3f6f9f0c11a09ccc8476fd8443f6
                                                                                                                                                              • Opcode Fuzzy Hash: dbef93ccb0320f327c870f6dab26a282edace8ba397e5ae3707c65803c9f6d19
                                                                                                                                                              • Instruction Fuzzy Hash: C021EB71915222ABEB129A64DC44F3A3779AFC3B60F25C510E92AA73B1D730DD13C6E1
                                                                                                                                                              Function 6D4F1D40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 2495 6d4f1d40-6d4f1d91 call 6d4faa90 call 6d4f1d00 call 6d4f2187 2502 6d4f1ded-6d4f1df0 2495->2502 2503 6d4f1d93-6d4f1da5 2495->2503 2504 6d4f1df2-6d4f1dff call 6d4f2170 2502->2504 2505 6d4f1e10-6d4f1e19 2502->2505 2503->2505 2506 6d4f1da7-6d4f1dbe 2503->2506 2510 6d4f1e04-6d4f1e0d call 6d4f1d00 2504->2510 2508 6d4f1dd4 2506->2508 2509 6d4f1dc0-6d4f1dce call 6d4f2110 2506->2509 2512 6d4f1dd7-6d4f1ddc 2508->2512 2517 6d4f1de4-6d4f1deb 2509->2517 2518 6d4f1dd0 2509->2518 2510->2505 2512->2506 2515 6d4f1dde-6d4f1de0 2512->2515 2515->2505 2519 6d4f1de2 2515->2519 2517->2510 2520 6d4f1e1a-6d4f1e23 2518->2520 2521 6d4f1dd2 2518->2521 2519->2510 2522 6d4f1e5d-6d4f1e6d call 6d4f2150 2520->2522 2523 6d4f1e25-6d4f1e2c 2520->2523 2521->2512 2528 6d4f1e6f-6d4f1e7e call 6d4f2170 2522->2528 2529 6d4f1e81-6d4f1e9d call 6d4f1d00 call 6d4f2130 2522->2529 2523->2522 2525 6d4f1e2e-6d4f1e3d call 6d4fa930 2523->2525 2533 6d4f1e3f-6d4f1e57 2525->2533 2534 6d4f1e5a 2525->2534 2528->2529 2533->2534 2534->2522
                                                                                                                                                              APIs
                                                                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 6D4F1D77
                                                                                                                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 6D4F1D7F
                                                                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 6D4F1E08
                                                                                                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 6D4F1E33
                                                                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 6D4F1E88
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                              • String ID: csm
                                                                                                                                                              • API String ID: 1170836740-1018135373
                                                                                                                                                              • Opcode ID: 7a345518c3f2282f37bd66bd829983ddfb7e3fdab394e2b8f441c7356debc774
                                                                                                                                                              • Instruction ID: 0162157f382ab6038498de0ee6c2fd3a04df93ae95ad4413738bc5948597124b
                                                                                                                                                              • Opcode Fuzzy Hash: 7a345518c3f2282f37bd66bd829983ddfb7e3fdab394e2b8f441c7356debc774
                                                                                                                                                              • Instruction Fuzzy Hash: A0418074E04249ABCF10CF68C880EAEBBB5AFC5318F158059E914AB361D731ED16CB91
                                                                                                                                                              Function 6D4F48AD Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 2541 6d4f48ad-6d4f48b8 2542 6d4f48ba-6d4f48c4 call 6d4f499b 2541->2542 2543 6d4f48c9-6d4f48cf 2541->2543 2553 6d4f4971-6d4f4973 2542->2553 2545 6d4f48f6-6d4f490b call 6d4f533b 2543->2545 2546 6d4f48d1-6d4f48d7 2543->2546 2556 6d4f490d-6d4f4921 GetLastError call 6d4f3fd5 call 6d4f400b 2545->2556 2557 6d4f4923-6d4f492a 2545->2557 2549 6d4f48ea-6d4f48f4 2546->2549 2550 6d4f48d9-6d4f48e4 call 6d4f4974 2546->2550 2551 6d4f4970 2549->2551 2550->2549 2550->2551 2551->2553 2556->2551 2559 6d4f492c-6d4f4936 call 6d4f4974 2557->2559 2560 6d4f4938-6d4f4951 call 6d4f533b 2557->2560 2559->2560 2570 6d4f496f 2559->2570 2567 6d4f4969-6d4f496d 2560->2567 2568 6d4f4953-6d4f4967 GetLastError call 6d4f3fd5 call 6d4f400b 2560->2568 2567->2570 2568->2570 2570->2551
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: ;JOm$C:\Users\user\Desktop\46VHQmFDxC.exe
                                                                                                                                                              • API String ID: 0-2073565676
                                                                                                                                                              • Opcode ID: 4ed0bfcda73bb93829462c1f602077dff61f3ea8528eb073e2ff30de2430dea4
                                                                                                                                                              • Instruction ID: a74492387244023cc028b651b079d33d646751ced15a8027045a96ee85e0f981
                                                                                                                                                              • Opcode Fuzzy Hash: 4ed0bfcda73bb93829462c1f602077dff61f3ea8528eb073e2ff30de2430dea4
                                                                                                                                                              • Instruction Fuzzy Hash: 31218071708206AFD7109E759D80E6B77BCEBC93A87118618F95CD6270EF21EC4387A0
                                                                                                                                                              Function 6D4F8719 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              APIs
                                                                                                                                                                • Part of subcall function 6D4F86E1: _free.LIBCMT ref: 6D4F8706
                                                                                                                                                              • _free.LIBCMT ref: 6D4F8767
                                                                                                                                                                • Part of subcall function 6D4F3F27: HeapFree.KERNEL32(00000000,00000000,?,6D4F3439), ref: 6D4F3F3D
                                                                                                                                                                • Part of subcall function 6D4F3F27: GetLastError.KERNEL32(?,?,6D4F3439), ref: 6D4F3F4F
                                                                                                                                                              • _free.LIBCMT ref: 6D4F8772
                                                                                                                                                              • _free.LIBCMT ref: 6D4F877D
                                                                                                                                                              • _free.LIBCMT ref: 6D4F87D1
                                                                                                                                                              • _free.LIBCMT ref: 6D4F87DC
                                                                                                                                                              • _free.LIBCMT ref: 6D4F87E7
                                                                                                                                                              • _free.LIBCMT ref: 6D4F87F2
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 776569668-0
                                                                                                                                                              • Opcode ID: 7df7bc2e45ad0bb9c7f8bc702183ee147632bc2a3689b57671c2733396f6c7e8
                                                                                                                                                              • Instruction ID: 271097733c79df3e2ba380ff6dd5e42ee49a5c7e389e7a74d21709b8bfc4a62e
                                                                                                                                                              • Opcode Fuzzy Hash: 7df7bc2e45ad0bb9c7f8bc702183ee147632bc2a3689b57671c2733396f6c7e8
                                                                                                                                                              • Instruction Fuzzy Hash: 3B11AFB1608B04EAEA20E7B1CC09FCF77ACEF85305F85081CE399AA071DB24F8565695
                                                                                                                                                              Function 6D4F782F Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              APIs
                                                                                                                                                              • GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6D4F7877
                                                                                                                                                              • __fassign.LIBCMT ref: 6D4F7A5C
                                                                                                                                                              • __fassign.LIBCMT ref: 6D4F7A79
                                                                                                                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D4F7AC1
                                                                                                                                                              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6D4F7B01
                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D4F7BA9
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: FileWrite__fassign$ConsoleErrorLastOutput
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 1735259414-0
                                                                                                                                                              • Opcode ID: 349583a7e2bb11e392fe6fb6989ff55b71c3b7c1594da50425998c9d4089a4dc
                                                                                                                                                              • Instruction ID: a82196ee3588f9b86826d2ffd2036e33383204b0ea26ef132f415191dffcf443
                                                                                                                                                              • Opcode Fuzzy Hash: 349583a7e2bb11e392fe6fb6989ff55b71c3b7c1594da50425998c9d4089a4dc
                                                                                                                                                              • Instruction Fuzzy Hash: E6C17D71D082599FDF15CFA8C880EEDBBB5AF89308F28415AE855B7251D2359E42CF60
                                                                                                                                                              Function 6D4F2217 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              APIs
                                                                                                                                                              • GetLastError.KERNEL32(00000001,?,6D4F1EE5,6D4EFF28,6D4EF8EF,?,6D4EFB27,?,00000001,?,?,00000001,?,6D500908,0000000C,6D4EFC20), ref: 6D4F2225
                                                                                                                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D4F2233
                                                                                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D4F224C
                                                                                                                                                              • SetLastError.KERNEL32(00000000,6D4EFB27,?,00000001,?,?,00000001,?,6D500908,0000000C,6D4EFC20,?,00000001,?), ref: 6D4F229E
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: ErrorLastValue___vcrt_
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 3852720340-0
                                                                                                                                                              • Opcode ID: 28c538a2520722eee7edf1106a2fb7d855b686b0c2f3952812dcb91c82213151
                                                                                                                                                              • Instruction ID: eb7c314d62ffa7f8366926dc93e310b48950d53d8286258d365a369526fc8bb3
                                                                                                                                                              • Opcode Fuzzy Hash: 28c538a2520722eee7edf1106a2fb7d855b686b0c2f3952812dcb91c82213151
                                                                                                                                                              • Instruction Fuzzy Hash: 3601B53230D3925DEB3166B46CC4E1A3764EBC3779772022EE524D55F0EF118C436182
                                                                                                                                                              Function 6D4F2393 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              APIs
                                                                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,6D4F2454,00000000,?,00000001,00000000,?,6D4F24CB,00000001,FlsFree,6D4FC354,FlsFree,00000000), ref: 6D4F2423
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: FreeLibrary
                                                                                                                                                              • String ID: api-ms-
                                                                                                                                                              • API String ID: 3664257935-2084034818
                                                                                                                                                              • Opcode ID: bb5412b5b407b6ae31880df520dad127ff61aeefd16392ca57ce3e7c47e47163
                                                                                                                                                              • Instruction ID: 39a7c45d14767ae64de5b013acbf0ab6d6a10ec37138cf1f4d568fc6b0a8bc57
                                                                                                                                                              • Opcode Fuzzy Hash: bb5412b5b407b6ae31880df520dad127ff61aeefd16392ca57ce3e7c47e47163
                                                                                                                                                              • Instruction Fuzzy Hash: B111AB31A456719BDB329A689C80F5933B4EF83770F254121E915FB2A0DBA0ED4286D5
                                                                                                                                                              Function 6D4F2DA7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              APIs
                                                                                                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6D4F2D59,?,?,6D4F2D21,?,00000001,?), ref: 6D4F2DBC
                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6D4F2DCF
                                                                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,6D4F2D59,?,?,6D4F2D21,?,00000001,?), ref: 6D4F2DF2
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                              • API String ID: 4061214504-1276376045
                                                                                                                                                              • Opcode ID: b24c24fe268d04ae5581c6f1192f6a1d908de385c7ff14f34c62d78af7719108
                                                                                                                                                              • Instruction ID: 340ea6388220829321f2b21d41f33b27121a0e9ea0286331d7934334c422527d
                                                                                                                                                              • Opcode Fuzzy Hash: b24c24fe268d04ae5581c6f1192f6a1d908de385c7ff14f34c62d78af7719108
                                                                                                                                                              • Instruction Fuzzy Hash: 3CF01C31502699FBDF11AB50DD49FEE7A79EF8275AF204060E811E2270DB34CE11EB95
                                                                                                                                                              Function 6D4F8678 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              APIs
                                                                                                                                                              • _free.LIBCMT ref: 6D4F8690
                                                                                                                                                                • Part of subcall function 6D4F3F27: HeapFree.KERNEL32(00000000,00000000,?,6D4F3439), ref: 6D4F3F3D
                                                                                                                                                                • Part of subcall function 6D4F3F27: GetLastError.KERNEL32(?,?,6D4F3439), ref: 6D4F3F4F
                                                                                                                                                              • _free.LIBCMT ref: 6D4F86A2
                                                                                                                                                              • _free.LIBCMT ref: 6D4F86B4
                                                                                                                                                              • _free.LIBCMT ref: 6D4F86C6
                                                                                                                                                              • _free.LIBCMT ref: 6D4F86D8
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 776569668-0
                                                                                                                                                              • Opcode ID: 6a8ee282262ba2f7b3c0312b0303c7ec8a55a42c215046198c1f9357a87e1c86
                                                                                                                                                              • Instruction ID: bbc0c9641961513552bad3b8a10fd087f2cff2df801192e389f633225282b9c0
                                                                                                                                                              • Opcode Fuzzy Hash: 6a8ee282262ba2f7b3c0312b0303c7ec8a55a42c215046198c1f9357a87e1c86
                                                                                                                                                              • Instruction Fuzzy Hash: 11F04FB15092459BDB10EF55D485E2B33F9EAC23153A6180AF128DBA60CB30FC828AE5
                                                                                                                                                              Function 6D4F4231 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              APIs
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: _free
                                                                                                                                                              • String ID: *?
                                                                                                                                                              • API String ID: 269201875-2564092906
                                                                                                                                                              • Opcode ID: efaba169b8992d2e26a785112f36f40523865fa27bba120f56925424b36ce35c
                                                                                                                                                              • Instruction ID: cd9b59b089704a3be13c1a73e5ff38d4f0e2c44a85bd9a4e8edc7f2eaee019a2
                                                                                                                                                              • Opcode Fuzzy Hash: efaba169b8992d2e26a785112f36f40523865fa27bba120f56925424b36ce35c
                                                                                                                                                              • Instruction Fuzzy Hash: D9614C75E0421A9FDB14CFA8C9809EEFBF5EF88354B258169D915F7310DB319E428B90
                                                                                                                                                              Function 6D4F809F Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 170fileCOMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              APIs
                                                                                                                                                                • Part of subcall function 6D4F782F: GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6D4F7877
                                                                                                                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,6D4F6059,?,00000000,00000000,6D500BB8,0000002C,6D4F60CA,?), ref: 6D4F81E5
                                                                                                                                                              • GetLastError.KERNEL32 ref: 6D4F81EF
                                                                                                                                                              • __dosmaperr.LIBCMT ref: 6D4F822E
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: ConsoleErrorFileLastOutputWrite__dosmaperr
                                                                                                                                                              • String ID: Y`Om
                                                                                                                                                              • API String ID: 910155933-2608077371
                                                                                                                                                              • Opcode ID: c1a0875da4b70a850e2afa67bd036b0c2375dcfbc7eaf3bef32025d297cf2193
                                                                                                                                                              • Instruction ID: de9cc6b145ed16258a2b38296fa9048a81cf0b31080901e9f72055286806202a
                                                                                                                                                              • Opcode Fuzzy Hash: c1a0875da4b70a850e2afa67bd036b0c2375dcfbc7eaf3bef32025d297cf2193
                                                                                                                                                              • Instruction Fuzzy Hash: 3651B1B1A0810AABDB01CBAAC944FEEBB75EFC6314F150149E510AF271D7359E43CBA1
                                                                                                                                                              Function 6D4F4145 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              APIs
                                                                                                                                                                • Part of subcall function 6D4F4767: _free.LIBCMT ref: 6D4F4775
                                                                                                                                                                • Part of subcall function 6D4F533B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,6D4F72D3,?,00000000,00000000), ref: 6D4F53E7
                                                                                                                                                              • GetLastError.KERNEL32 ref: 6D4F41AD
                                                                                                                                                              • __dosmaperr.LIBCMT ref: 6D4F41B4
                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6D4F41F3
                                                                                                                                                              • __dosmaperr.LIBCMT ref: 6D4F41FA
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 167067550-0
                                                                                                                                                              • Opcode ID: e04a3bb7ab1aee7249fdf885be941e653adc28b2a22b01584d58db86cd521075
                                                                                                                                                              • Instruction ID: 56365cabb3d62822a059122fda06493121ce810812853924e17af870ea07561f
                                                                                                                                                              • Opcode Fuzzy Hash: e04a3bb7ab1aee7249fdf885be941e653adc28b2a22b01584d58db86cd521075
                                                                                                                                                              • Instruction Fuzzy Hash: BD21B5716082066F9B009FA58E84D6777BCEFC93E87118528E96D83660EB30EC0387A0
                                                                                                                                                              Function 6D4F3BE7 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              APIs
                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,6D4F7C77,?,00000001,6D4F60CA,?,6D4F8134,00000001,?,?,?,6D4F6059,?,00000000), ref: 6D4F3BEC
                                                                                                                                                              • _free.LIBCMT ref: 6D4F3C49
                                                                                                                                                              • _free.LIBCMT ref: 6D4F3C7F
                                                                                                                                                              • SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6D4F8134,00000001,?,?,?,6D4F6059,?,00000000,00000000,6D500BB8,0000002C,6D4F60CA), ref: 6D4F3C8A
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: ErrorLast_free
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 2283115069-0
                                                                                                                                                              • Opcode ID: 629e98e1c0924c311f922b9a0d589d0c902064f9f319340429e89070e29e4430
                                                                                                                                                              • Instruction ID: e89b8a9eff2c379a8adcf7a638ea3c1c574ec43628609d66046a44b5a5f2afca
                                                                                                                                                              • Opcode Fuzzy Hash: 629e98e1c0924c311f922b9a0d589d0c902064f9f319340429e89070e29e4430
                                                                                                                                                              • Instruction Fuzzy Hash: 5A117B3320C245AADF01A6798D8CF3E257697C2B79B364129F624962B0EB21CC4755A2
                                                                                                                                                              Function 6D4F3D3E Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              APIs
                                                                                                                                                              • GetLastError.KERNEL32(?,?,00000001,6D4F4010,6D4F3F4D,?,?,6D4F3439), ref: 6D4F3D43
                                                                                                                                                              • _free.LIBCMT ref: 6D4F3DA0
                                                                                                                                                              • _free.LIBCMT ref: 6D4F3DD6
                                                                                                                                                              • SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,00000001,6D4F4010,6D4F3F4D,?,?,6D4F3439), ref: 6D4F3DE1
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: ErrorLast_free
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 2283115069-0
                                                                                                                                                              • Opcode ID: 0739ec82d898b30b9b861913a9f8261d4fb034b8cc21bf654f166c59e3a0d2bb
                                                                                                                                                              • Instruction ID: 39c673627502656131aeb91a2a06c76bd7b7cd65affd3a024fcc4dc19a64977c
                                                                                                                                                              • Opcode Fuzzy Hash: 0739ec82d898b30b9b861913a9f8261d4fb034b8cc21bf654f166c59e3a0d2bb
                                                                                                                                                              • Instruction Fuzzy Hash: 0E118A3120C7456ADF1155798D88F2E2579DBC2B79F324129F624D62F0DB22CC4785A2
                                                                                                                                                              Function 6D4F8EC6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              APIs
                                                                                                                                                              • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6D4F8923,?,00000001,?,00000001,?,6D4F7C06,?,?,00000001), ref: 6D4F8EDD
                                                                                                                                                              • GetLastError.KERNEL32(?,6D4F8923,?,00000001,?,00000001,?,6D4F7C06,?,?,00000001,?,00000001,?,6D4F8155,Y`Om), ref: 6D4F8EE9
                                                                                                                                                                • Part of subcall function 6D4F8EAF: CloseHandle.KERNEL32(FFFFFFFE,6D4F8EF9,?,6D4F8923,?,00000001,?,00000001,?,6D4F7C06,?,?,00000001,?,00000001), ref: 6D4F8EBF
                                                                                                                                                              • ___initconout.LIBCMT ref: 6D4F8EF9
                                                                                                                                                                • Part of subcall function 6D4F8E71: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6D4F8EA0,6D4F8910,00000001,?,6D4F7C06,?,?,00000001,?), ref: 6D4F8E84
                                                                                                                                                              • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6D4F8923,?,00000001,?,00000001,?,6D4F7C06,?,?,00000001,?), ref: 6D4F8F0E
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 2744216297-0
                                                                                                                                                              • Opcode ID: b0e38198230a2e84eac46a1d7b640fa851818d233bb11abcdaff65547c62fce3
                                                                                                                                                              • Instruction ID: afd4cbb43589b3c4d62d47bfece248660121bf2ae383b0addf1d4dab7fe70256
                                                                                                                                                              • Opcode Fuzzy Hash: b0e38198230a2e84eac46a1d7b640fa851818d233bb11abcdaff65547c62fce3
                                                                                                                                                              • Instruction Fuzzy Hash: 07F0F836104519BFCF122F969C04E9E3E76EB8A7B0B154010FA299A530C732CC609BA5
                                                                                                                                                              Function 6D4F4FC3 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              APIs
                                                                                                                                                                • Part of subcall function 6D4F4B5E: GetOEMCP.KERNEL32(00000000,6D4F4DCF,?,00000001,6D4F8134,6D4F8134,00000001,?,?), ref: 6D4F4B89
                                                                                                                                                              • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,6D4F4E16,?,00000000,?,6D4F6059,?,?,?,?,6D4F8134), ref: 6D4F5021
                                                                                                                                                              • GetCPInfo.KERNEL32(00000000,?,?,?,6D4F4E16,?,00000000,?,6D4F6059,?,?,?,?,6D4F8134,00000001,?), ref: 6D4F5063
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: CodeInfoPageValid
                                                                                                                                                              • String ID: Y`Om
                                                                                                                                                              • API String ID: 546120528-2608077371
                                                                                                                                                              • Opcode ID: bc259ad3493af7c190965c80ab9ce2949fa2abefd31cd4e38ca43f321667a651
                                                                                                                                                              • Instruction ID: 60000316cea8b8e53fa448ab14a6eac2e8d7a9567b0e8f628a15b7c8ecfefcff
                                                                                                                                                              • Opcode Fuzzy Hash: bc259ad3493af7c190965c80ab9ce2949fa2abefd31cd4e38ca43f321667a651
                                                                                                                                                              • Instruction Fuzzy Hash: 96510370A042069EEB21CF25C940EBBBBF5EFC2304F24C06ED1A687261D775A947CB91
                                                                                                                                                              Function 6D4F2E35 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: C:\Users\user\Desktop\46VHQmFDxC.exe
                                                                                                                                                              • API String ID: 0-3783591300
                                                                                                                                                              • Opcode ID: 3b1e1a9c1f0cf6d6e2d9138c84e0f7bfac0109dd7235422354758003498fd857
                                                                                                                                                              • Instruction ID: 7e16b741ddda47c9a634024efe7a61cbbe009cf8f6d72e8e99c59455a7ec19cd
                                                                                                                                                              • Opcode Fuzzy Hash: 3b1e1a9c1f0cf6d6e2d9138c84e0f7bfac0109dd7235422354758003498fd857
                                                                                                                                                              • Instruction Fuzzy Hash: 1A41A671A18255EBDB21DB99C8C0E9EBBF8EBC9304B21006AE514D7260DB708E42D7A1
                                                                                                                                                              Function 6D4DEF50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: string too long
                                                                                                                                                              • API String ID: 0-2556327735
                                                                                                                                                              • Opcode ID: dcfae4bf28c1981f0bf094230ae112d6179adf3c13ffd5e2d09630c6168e3511
                                                                                                                                                              • Instruction ID: c12aa41806c31932fec43e2f9ce60ac93d9bf5581fbca14ab6713c62a7ecf87d
                                                                                                                                                              • Opcode Fuzzy Hash: dcfae4bf28c1981f0bf094230ae112d6179adf3c13ffd5e2d09630c6168e3511
                                                                                                                                                              • Instruction Fuzzy Hash: C6310536A541568FDF01DABCD4E0BEEBBF1AB42324F119929C891D7351D7368D0AC782
                                                                                                                                                              Function 6D4F4DB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              APIs
                                                                                                                                                                • Part of subcall function 6D4F4B5E: GetOEMCP.KERNEL32(00000000,6D4F4DCF,?,00000001,6D4F8134,6D4F8134,00000001,?,?), ref: 6D4F4B89
                                                                                                                                                              • _free.LIBCMT ref: 6D4F4E2C
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.1378137405.000000006D4B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D4B0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.1378120829.000000006D4B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378185702.000000006D4FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D502000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378210390.000000006D544000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.1378281972.000000006D54F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d4b0000_46VHQmFDxC.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: _free
                                                                                                                                                              • String ID: x{
                                                                                                                                                              • API String ID: 269201875-3015111431
                                                                                                                                                              • Opcode ID: 7f39b64b7d08907cbf5aa2ddfdb6cd343209229d3b83cf072a96f4e1e071d012
                                                                                                                                                              • Instruction ID: 4d91f5092e293ac27404caadf3d8f1a0e334c9d6988f77839937e5ae1702ed26
                                                                                                                                                              • Opcode Fuzzy Hash: 7f39b64b7d08907cbf5aa2ddfdb6cd343209229d3b83cf072a96f4e1e071d012
                                                                                                                                                              • Instruction Fuzzy Hash: ED31927290820AAFCB01DF68D940E9E77B4FF88355F11416AE519973A0EB32DD52CF91

                                                                                                                                                              Execution Graph

                                                                                                                                                              Execution Coverage:6.4%
                                                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                              Signature Coverage:0%
                                                                                                                                                              Total number of Nodes:38
                                                                                                                                                              Total number of Limit Nodes:7
                                                                                                                                                              execution_graph 25561 2bfd0b8 25562 2bfd0fe GetCurrentProcess 25561->25562 25564 2bfd149 25562->25564 25565 2bfd150 GetCurrentThread 25562->25565 25564->25565 25566 2bfd18d GetCurrentProcess 25565->25566 25567 2bfd186 25565->25567 25568 2bfd1c3 25566->25568 25567->25566 25569 2bfd1eb GetCurrentThreadId 25568->25569 25570 2bfd21c 25569->25570 25571 2bfad38 25575 2bfae2b 25571->25575 25580 2bfae30 25571->25580 25572 2bfad47 25576 2bfae64 25575->25576 25578 2bfae41 25575->25578 25576->25572 25577 2bfb068 GetModuleHandleW 25579 2bfb095 25577->25579 25578->25576 25578->25577 25579->25572 25581 2bfae64 25580->25581 25582 2bfae41 25580->25582 25581->25572 25582->25581 25583 2bfb068 GetModuleHandleW 25582->25583 25584 2bfb095 25583->25584 25584->25572 25585 2bf4668 25586 2bf4684 25585->25586 25587 2bf4696 25586->25587 25589 2bf47a0 25586->25589 25590 2bf47c5 25589->25590 25594 2bf48a1 25590->25594 25598 2bf48b0 25590->25598 25596 2bf48b0 25594->25596 25595 2bf49b4 25595->25595 25596->25595 25602 2bf4248 25596->25602 25599 2bf48d7 25598->25599 25600 2bf4248 CreateActCtxA 25599->25600 25601 2bf49b4 25599->25601 25600->25601 25603 2bf5940 CreateActCtxA 25602->25603 25605 2bf5a03 25603->25605 25606 2bfd300 DuplicateHandle 25607 2bfd396 25606->25607

                                                                                                                                                              Executed Functions

                                                                                                                                                              Function 06573F50 Relevance: .5, Instructions: 524COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 2104d31320512b2072a552726b66baf3595f2ff34eacf64cd459a66f6de15901
                                                                                                                                                              • Instruction ID: 4b89a9bc07012be0f915a3e931585156460d4e5c7569c526bd360eff1636b6e2
                                                                                                                                                              • Opcode Fuzzy Hash: 2104d31320512b2072a552726b66baf3595f2ff34eacf64cd459a66f6de15901
                                                                                                                                                              • Instruction Fuzzy Hash: 33128034B002158FDB54DF69D884AAEBBF6BF89710B158169E905EB365DF30EC41CBA0
                                                                                                                                                              Function 065767D8 Relevance: .4, Instructions: 413COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: a54bc891cee19ebcc58e0037c9336f78ef26e9f3a8d3d1c6d79d26b4ec605643
                                                                                                                                                              • Instruction ID: 2492bf2a4c328eb7351db851fe63fab71ea0a07ab2e21ce221bff7b48ddf6fcd
                                                                                                                                                              • Opcode Fuzzy Hash: a54bc891cee19ebcc58e0037c9336f78ef26e9f3a8d3d1c6d79d26b4ec605643
                                                                                                                                                              • Instruction Fuzzy Hash: 69F1D330A006099FDB45DF64E880B9EBBF6FF89300F148569E405EB2A1DB74ED45CBA0
                                                                                                                                                              Function 0657A3D8 Relevance: .3, Instructions: 298COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: ec529a1aa285983ad736bdf289e82a467412ccb1b7974b321bd2fdef71c73973
                                                                                                                                                              • Instruction ID: 18efc2f34e8b2bdf4d1c5299431c652631f543dc66712c8861078dcdaf5c8dcf
                                                                                                                                                              • Opcode Fuzzy Hash: ec529a1aa285983ad736bdf289e82a467412ccb1b7974b321bd2fdef71c73973
                                                                                                                                                              • Instruction Fuzzy Hash: EDD1D634D00218CFCB58EFB4E894A9DBBB3FF8A301F1095A9E51AA7254DB315986CF51
                                                                                                                                                              Function 02BFD0A8 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              APIs
                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 02BFD136
                                                                                                                                                              • GetCurrentThread.KERNEL32 ref: 02BFD173
                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 02BFD1B0
                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 02BFD209
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2619746644.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_2bf0000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: Current$ProcessThread
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 2063062207-0
                                                                                                                                                              • Opcode ID: e5e5f62d66549f1166a6f0aae2040ee2129c86e3b331836c4b75be4a8d1388f2
                                                                                                                                                              • Instruction ID: f000e281395d4224a60520a0ba22805633f8e5a3a247c3046456fea2d40e904f
                                                                                                                                                              • Opcode Fuzzy Hash: e5e5f62d66549f1166a6f0aae2040ee2129c86e3b331836c4b75be4a8d1388f2
                                                                                                                                                              • Instruction Fuzzy Hash: C15178B09007498FDB54CFA9D548B9EBBF1EF88304F20849DE019A73A0DB785985CB65
                                                                                                                                                              Function 02BFD0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              APIs
                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 02BFD136
                                                                                                                                                              • GetCurrentThread.KERNEL32 ref: 02BFD173
                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 02BFD1B0
                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 02BFD209
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2619746644.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_2bf0000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: Current$ProcessThread
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 2063062207-0
                                                                                                                                                              • Opcode ID: 12ecfa4efdbd758301591c2cb68147564925e001bd8d472b95fbba244499f512
                                                                                                                                                              • Instruction ID: d0724b7b173e3250b2d479cb5a031aac926a896a20d5490d64d2ff35f6c3e8a0
                                                                                                                                                              • Opcode Fuzzy Hash: 12ecfa4efdbd758301591c2cb68147564925e001bd8d472b95fbba244499f512
                                                                                                                                                              • Instruction Fuzzy Hash: 6A5168B09007498FDB54CFAAD548BDEBBF1EF88304F208459E019A7390DB785985CB65
                                                                                                                                                              Function 02BFAE30 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 44 2bfae30-2bfae3f 45 2bfae6b-2bfae6f 44->45 46 2bfae41-2bfae4e call 2bf9838 44->46 47 2bfae83-2bfaec4 45->47 48 2bfae71-2bfae7b 45->48 53 2bfae64 46->53 54 2bfae50 46->54 55 2bfaec6-2bfaece 47->55 56 2bfaed1-2bfaedf 47->56 48->47 53->45 103 2bfae56 call 2bfb0b8 54->103 104 2bfae56 call 2bfb0c8 54->104 55->56 58 2bfaf03-2bfaf05 56->58 59 2bfaee1-2bfaee6 56->59 57 2bfae5c-2bfae5e 57->53 60 2bfafa0-2bfafb7 57->60 61 2bfaf08-2bfaf0f 58->61 62 2bfaee8-2bfaeef call 2bfa814 59->62 63 2bfaef1 59->63 77 2bfafb9-2bfb018 60->77 65 2bfaf1c-2bfaf23 61->65 66 2bfaf11-2bfaf19 61->66 64 2bfaef3-2bfaf01 62->64 63->64 64->61 69 2bfaf25-2bfaf2d 65->69 70 2bfaf30-2bfaf39 call 2bfa824 65->70 66->65 69->70 75 2bfaf3b-2bfaf43 70->75 76 2bfaf46-2bfaf4b 70->76 75->76 78 2bfaf4d-2bfaf54 76->78 79 2bfaf69-2bfaf76 76->79 95 2bfb01a-2bfb01c 77->95 78->79 80 2bfaf56-2bfaf66 call 2bfa834 call 2bfa844 78->80 86 2bfaf99-2bfaf9f 79->86 87 2bfaf78-2bfaf96 79->87 80->79 87->86 96 2bfb01e-2bfb046 95->96 97 2bfb048-2bfb060 95->97 96->97 98 2bfb068-2bfb093 GetModuleHandleW 97->98 99 2bfb062-2bfb065 97->99 100 2bfb09c-2bfb0b0 98->100 101 2bfb095-2bfb09b 98->101 99->98 101->100 103->57 104->57
                                                                                                                                                              APIs
                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02BFB086
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2619746644.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_2bf0000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                              • Opcode ID: 57a3352ccf97d0daac898b8695cbe29f7467600cc5a7622e955fd2ee8002b2ff
                                                                                                                                                              • Instruction ID: 307c723c6366d3d8e91110bd18c9924768dfed6fdc31b242c9a08d0ec1bf15cb
                                                                                                                                                              • Opcode Fuzzy Hash: 57a3352ccf97d0daac898b8695cbe29f7467600cc5a7622e955fd2ee8002b2ff
                                                                                                                                                              • Instruction Fuzzy Hash: D78147B0A00B058FD768DF69D04179ABBF1FF88704F10896DD58ADBA50D775E84ACB90
                                                                                                                                                              Function 02BF5935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 105 2bf5935-2bf593c 106 2bf5944-2bf5a01 CreateActCtxA 105->106 108 2bf5a0a-2bf5a64 106->108 109 2bf5a03-2bf5a09 106->109 116 2bf5a66-2bf5a69 108->116 117 2bf5a73-2bf5a77 108->117 109->108 116->117 118 2bf5a79-2bf5a85 117->118 119 2bf5a88-2bf5ab8 117->119 118->119 123 2bf5a6a 119->123 124 2bf5aba-2bf5b3c 119->124 123->117
                                                                                                                                                              APIs
                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 02BF59F1
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2619746644.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_2bf0000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: Create
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                              • Opcode ID: ccc4a7d9e6ef077fd96a818f2f73a54644edbf55cccffb629635f484a83889e9
                                                                                                                                                              • Instruction ID: aae395e73dbeda7011a39057918b159d0594c6c553f72c227006fe272c29ace4
                                                                                                                                                              • Opcode Fuzzy Hash: ccc4a7d9e6ef077fd96a818f2f73a54644edbf55cccffb629635f484a83889e9
                                                                                                                                                              • Instruction Fuzzy Hash: 5541E1B0D00718CBEB24DFA9C8847CDBBB5FF48304F20845AD518AB250DB75698ACF50
                                                                                                                                                              Function 02BF4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 126 2bf4248-2bf5a01 CreateActCtxA 129 2bf5a0a-2bf5a64 126->129 130 2bf5a03-2bf5a09 126->130 137 2bf5a66-2bf5a69 129->137 138 2bf5a73-2bf5a77 129->138 130->129 137->138 139 2bf5a79-2bf5a85 138->139 140 2bf5a88-2bf5ab8 138->140 139->140 144 2bf5a6a 140->144 145 2bf5aba-2bf5b3c 140->145 144->138
                                                                                                                                                              APIs
                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 02BF59F1
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2619746644.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_2bf0000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: Create
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                              • Opcode ID: ee262ae9df01670c4e3b8c1b4c6af6ba8a6e7408581f8b61d4610e9935ff0300
                                                                                                                                                              • Instruction ID: 8a35466f93de14ac564b1d6b569e2d6f2b2ff4a57dc38d4c5076919e56e035ac
                                                                                                                                                              • Opcode Fuzzy Hash: ee262ae9df01670c4e3b8c1b4c6af6ba8a6e7408581f8b61d4610e9935ff0300
                                                                                                                                                              • Instruction Fuzzy Hash: 3341D1B0D00718CFEB24CFA9C884B8DBBB5FF49304F60845AD518AB251DB79694ACF90
                                                                                                                                                              Function 02BFD300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 147 2bfd300-2bfd394 DuplicateHandle 148 2bfd39d-2bfd3ba 147->148 149 2bfd396-2bfd39c 147->149 149->148
                                                                                                                                                              APIs
                                                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02BFD387
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2619746644.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_2bf0000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                                              • Opcode ID: 54845eaf798a6345c9ee8ffb4c2df9d0ea3097ea375ac70120b439581aee67b0
                                                                                                                                                              • Instruction ID: fe6289f188fab5ddb6e6965bd2684ad7f69d1d4b8f7285c33180c8ac5f179b1f
                                                                                                                                                              • Opcode Fuzzy Hash: 54845eaf798a6345c9ee8ffb4c2df9d0ea3097ea375ac70120b439581aee67b0
                                                                                                                                                              • Instruction Fuzzy Hash: EF21E2B59003499FDB10CFAAD984ADEBBF9EB48310F14841AE918A3310D378A944CFA1
                                                                                                                                                              Function 02BFD2F9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 152 2bfd2f9-2bfd394 DuplicateHandle 153 2bfd39d-2bfd3ba 152->153 154 2bfd396-2bfd39c 152->154 154->153
                                                                                                                                                              APIs
                                                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02BFD387
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2619746644.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_2bf0000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                                              • Opcode ID: 0a23a67a962288f4f4d0b7968ad39f51f3dbab5a9c04287334c99f00a69ffc38
                                                                                                                                                              • Instruction ID: a43fb228ed32aee1b4963a36f3740e1e5e3a6aa7ca9bb350bf43adaf349e9d34
                                                                                                                                                              • Opcode Fuzzy Hash: 0a23a67a962288f4f4d0b7968ad39f51f3dbab5a9c04287334c99f00a69ffc38
                                                                                                                                                              • Instruction Fuzzy Hash: 8321E2B5D003499FDB10CFAAD585ADEBBF5EB48310F14845AE918A3250C378A955CF61
                                                                                                                                                              Function 02BFB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 157 2bfb020-2bfb060 158 2bfb068-2bfb093 GetModuleHandleW 157->158 159 2bfb062-2bfb065 157->159 160 2bfb09c-2bfb0b0 158->160 161 2bfb095-2bfb09b 158->161 159->158 161->160
                                                                                                                                                              APIs
                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02BFB086
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2619746644.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_2bf0000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                              • Opcode ID: 09f606297b5df4c897d5a0f6a8de930691cd704e5b1337b7cb75154c9b109ab1
                                                                                                                                                              • Instruction ID: 0a021b78ef0d0ffaf383a241cfb65513e5bcabef7c5676aa9609ddba4c910645
                                                                                                                                                              • Opcode Fuzzy Hash: 09f606297b5df4c897d5a0f6a8de930691cd704e5b1337b7cb75154c9b109ab1
                                                                                                                                                              • Instruction Fuzzy Hash: CB1113B5D003498FCB20CFAAC444BDEFBF4EB88314F10845AD529A7610C379A549CFA1
                                                                                                                                                              Function 065759D8 Relevance: 1.5, Strings: 1, Instructions: 294COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 163 65759d8-65759f3 164 65759f5-65759f7 163->164 165 65759ff-6575a0e 163->165 164->165 166 6575a10 165->166 167 6575a1a-6575a2a 165->167 166->167 169 6575a2d-6575a4f 167->169 170 6575a55-6575a5b 169->170 171 6575c88-6575ccf 169->171 172 6575b34-6575b38 170->172 173 6575a61-6575a67 170->173 199 6575ce5-6575cf1 171->199 200 6575cd1 171->200 175 6575b5b-6575b64 172->175 176 6575b3a-6575b43 172->176 173->171 174 6575a6d-6575a7a 173->174 178 6575b13-6575b1c 174->178 179 6575a80-6575a89 174->179 181 6575b66-6575b86 175->181 182 6575b89-6575b8c 175->182 176->171 180 6575b49-6575b59 176->180 178->171 183 6575b22-6575b2e 178->183 179->171 184 6575a8f-6575ab0 179->184 185 6575b8f-6575b95 180->185 181->182 182->185 183->172 183->173 187 6575ab2 184->187 188 6575abc-6575ad7 184->188 185->171 190 6575b9b-6575bae 185->190 187->188 188->178 196 6575ad9-6575adf 188->196 190->171 191 6575bb4-6575bc4 190->191 191->171 195 6575bca-6575bd7 191->195 195->171 197 6575bdd-6575c02 195->197 201 6575ae1 196->201 202 6575aeb-6575af1 196->202 197->171 213 6575c08-6575c20 197->213 205 6575cf3 199->205 206 6575cfd-6575d19 199->206 204 6575cd4-6575cd6 200->204 201->202 202->171 207 6575af7-6575b10 202->207 208 6575d1a-6575d36 204->208 209 6575cd8-6575ce3 204->209 205->206 209->199 209->204 213->171 218 6575c22-6575c2d 213->218 219 6575c2f-6575c39 218->219 220 6575c7e-6575c85 218->220 219->220 222 6575c3b-6575c51 219->222 224 6575c53 222->224 225 6575c5d-6575c76 222->225 224->225 225->220
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: d
                                                                                                                                                              • API String ID: 0-2564639436
                                                                                                                                                              • Opcode ID: 75148aaff558c55d556885ce630c5f46a9697f6f6da7da6f27ba18f7cfaeac93
                                                                                                                                                              • Instruction ID: 3d290ada59839dd795f6ae4c97a73971b2e0309d5c7724055558084cf794d0d9
                                                                                                                                                              • Opcode Fuzzy Hash: 75148aaff558c55d556885ce630c5f46a9697f6f6da7da6f27ba18f7cfaeac93
                                                                                                                                                              • Instruction Fuzzy Hash: 34C15C34600602CFC725CF28D580A6ABBF6FF89310759C999D49A9B661EB30FD46CF90
                                                                                                                                                              Function 065748B8 Relevance: .6, Instructions: 594COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 1077 65748b8-6574900 call 6574650 1082 6574906-657490a 1077->1082 1083 6574902-6574904 1077->1083 1084 6574910-6574933 1082->1084 1083->1084 1089 6574935-657493a 1084->1089 1090 657493f-657494b 1084->1090 1091 6574a1b-6574a21 1089->1091 1095 657497e-657498a 1090->1095 1096 657494d-6574979 call 6573f50 1090->1096 1093 6574a27-6574a2f 1091->1093 1094 6574a23 1091->1094 1248 6574a31 call 65748b8 1093->1248 1249 6574a31 call 65748a8 1093->1249 1094->1093 1101 6574996-65749aa 1095->1101 1102 657498c-6574991 1095->1102 1096->1091 1112 6574a16 1101->1112 1113 65749ac-65749ce 1101->1113 1102->1091 1103 6574a37-6574a47 1107 6574a53-6574a68 1103->1107 1108 6574a49-6574a4e 1103->1108 1121 6574a6e-6574a7e 1107->1121 1122 6574aeb 1107->1122 1111 6574af0-6574afe 1108->1111 1119 6574b16-6574b22 1111->1119 1120 6574b00-6574b04 1111->1120 1112->1091 1134 65749f4-6574a0d 1113->1134 1135 65749d0-65749f2 1113->1135 1126 6574c06-6574c3a 1119->1126 1127 6574b28-6574b44 1119->1127 1123 6574b0c-6574b0e 1120->1123 1130 6574a92-6574a97 1121->1130 1131 6574a80-6574a90 1121->1131 1122->1111 1123->1119 1150 6574c52-6574c54 1126->1150 1151 6574c3c-6574c50 1126->1151 1142 6574bf2-6574c00 1127->1142 1130->1111 1131->1130 1141 6574a99-6574aa9 1131->1141 1134->1112 1152 6574a0f-6574a14 1134->1152 1135->1112 1135->1134 1148 6574ab2-6574ac2 1141->1148 1149 6574aab-6574ab0 1141->1149 1142->1126 1146 6574b49-6574b52 1142->1146 1153 6574e11-6574e38 1146->1153 1154 6574b58-6574b6b 1146->1154 1163 6574ac4-6574ac9 1148->1163 1164 6574acb-6574adb 1148->1164 1149->1111 1156 6574c56-6574c68 1150->1156 1157 6574c84-6574cc4 1150->1157 1151->1150 1152->1091 1165 6574e3e-6574e40 1153->1165 1166 6574ecc-6574f08 1153->1166 1154->1153 1158 6574b71-6574b83 1154->1158 1156->1157 1173 6574c6a-6574c7c 1156->1173 1246 6574cc6 call 65754f8 1157->1246 1247 6574cc6 call 6575508 1157->1247 1169 6574b85-6574b91 1158->1169 1170 6574bef 1158->1170 1163->1111 1180 6574ae4-6574ae9 1164->1180 1181 6574add-6574ae2 1164->1181 1165->1166 1172 6574e46-6574e48 1165->1172 1204 6574f73-6574f7f 1166->1204 1205 6574f0a-6574f1d 1166->1205 1169->1153 1174 6574b97-6574bec 1169->1174 1170->1142 1172->1166 1177 6574e4e-6574e52 1172->1177 1173->1157 1174->1170 1177->1166 1182 6574e54-6574e58 1177->1182 1180->1111 1181->1111 1186 6574e6a-6574eac 1182->1186 1187 6574e5a-6574e68 1182->1187 1185 6574ccc-6574ce0 1199 6574d27-6574d74 1185->1199 1200 6574ce2-6574cf9 1185->1200 1193 6574eb4-6574ec9 1186->1193 1187->1193 1230 6574d76-6574d8f 1199->1230 1231 6574dc8-6574ddf 1199->1231 1215 6574d07-6574d1f call 6573f50 1200->1215 1216 6574cfb-6574d05 1200->1216 1244 6574f81 call 6575089 1204->1244 1245 6574f81 call 6575098 1204->1245 1209 6574f1f-6574f2c 1205->1209 1210 6574f2d-6574f37 1205->1210 1221 6574f46-6574f4c 1210->1221 1222 6574f39-6574f44 1210->1222 1215->1199 1216->1215 1220 6574f87-6574f94 1229 6574f4e-6574f71 1221->1229 1222->1229 1229->1204 1238 6574d91 1230->1238 1239 6574d99-6574dc5 1230->1239 1236 6574e05-6574e0e 1231->1236 1237 6574de1-6574dfc 1231->1237 1237->1236 1238->1239 1239->1231 1244->1220 1245->1220 1246->1185 1247->1185 1248->1103 1249->1103
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 6edb3dd532909fd242293af43cd072e6a6fc1ec62784cd505d7de664352cd44c
                                                                                                                                                              • Instruction ID: 6dcb2731f6b7ffa9343490cdc2ff91b309edbadf6156d518327716dfbae68557
                                                                                                                                                              • Opcode Fuzzy Hash: 6edb3dd532909fd242293af43cd072e6a6fc1ec62784cd505d7de664352cd44c
                                                                                                                                                              • Instruction Fuzzy Hash: 3B323A747006058FDB54DF29D488A6ABBF6FF89310B1584A9E506CB3A2DB30EC45CF51
                                                                                                                                                              Function 065748A8 Relevance: .3, Instructions: 279COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 89f9a5f858bd21d4f31b923846bdb8134d4ecfa0bec311aeadbe7af51edf94d5
                                                                                                                                                              • Instruction ID: c943b0d1b730231f57f4fcedde66993052359d9be81a2761608f5870e93bd546
                                                                                                                                                              • Opcode Fuzzy Hash: 89f9a5f858bd21d4f31b923846bdb8134d4ecfa0bec311aeadbe7af51edf94d5
                                                                                                                                                              • Instruction Fuzzy Hash: F3B14834B106058FCB54DF39D488A6ABBF6BF89600B1580A9E446DB3B2DB30EC05CF61
                                                                                                                                                              Function 06577D58 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 3e5d60b5bdbb9bc7c74d932c2d43e1da6e3951c609295586b8ed61230c495906
                                                                                                                                                              • Instruction ID: 81134636f5990a0d4ab34174ee81469822a2e0ee8595f4f17be68225a9f62bee
                                                                                                                                                              • Opcode Fuzzy Hash: 3e5d60b5bdbb9bc7c74d932c2d43e1da6e3951c609295586b8ed61230c495906
                                                                                                                                                              • Instruction Fuzzy Hash: 81513771E00219CFDB54CFA9E884BDEBBF5BF48300F148529E815AB250D7749946CF90
                                                                                                                                                              Function 06577D4C Relevance: .1, Instructions: 132COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 5508771ca2c049805a4782cd83d9579638b42bcfbc5dbebb137dde1c8137dbc7
                                                                                                                                                              • Instruction ID: 6e2ef4e22c3d488bc098b7bb889cb45f176087e007d4fdb4cdeeda416e0614ac
                                                                                                                                                              • Opcode Fuzzy Hash: 5508771ca2c049805a4782cd83d9579638b42bcfbc5dbebb137dde1c8137dbc7
                                                                                                                                                              • Instruction Fuzzy Hash: 3C5126B0E0025D9FDB64CFA9E885BDEBBF5BB48300F148529E815AB250DB749846CF91
                                                                                                                                                              Function 065759C8 Relevance: .1, Instructions: 120COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 70615db0f2d044350c64784212f3beae7bc487f93a94dd11073e0fd2bfc8426b
                                                                                                                                                              • Instruction ID: bd5201dfc104e9c6017b1b53b892160e3407df5ce6ecb6a2f7658cb95668b144
                                                                                                                                                              • Opcode Fuzzy Hash: 70615db0f2d044350c64784212f3beae7bc487f93a94dd11073e0fd2bfc8426b
                                                                                                                                                              • Instruction Fuzzy Hash: 1E416D34A00605CFCB50CF59D880A6AB7F6FF89310B55C9A9E5599B361EB30F841CF90
                                                                                                                                                              Function 06573DE0 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: d95570531db5a81958512ee1a8841506bc6aceefd7b648a69181e37b954ca77e
                                                                                                                                                              • Instruction ID: 622af3d6e3e83a3d5bc45ec7541f9f5aee37ca965dc6725e7be54b749caa1fb2
                                                                                                                                                              • Opcode Fuzzy Hash: d95570531db5a81958512ee1a8841506bc6aceefd7b648a69181e37b954ca77e
                                                                                                                                                              • Instruction Fuzzy Hash: E93134317102154FC729A738E85066F77EAEFCA220715447AE449CB780DE75EC4787B1
                                                                                                                                                              Function 065784C8 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 8b3dad10c17ef7f48075c7a7f883cdad1432d587ca57fb64d6e254e8cb30ca46
                                                                                                                                                              • Instruction ID: 7d9cb22c40c35d08c3cc5189e88a42637374e8a24d27b566236a789cc2db689c
                                                                                                                                                              • Opcode Fuzzy Hash: 8b3dad10c17ef7f48075c7a7f883cdad1432d587ca57fb64d6e254e8cb30ca46
                                                                                                                                                              • Instruction Fuzzy Hash: AE31AD317002059FCB58EB78A86066F37E3EBC9211B14443ED50ADB381EE79DD0A87E2
                                                                                                                                                              Function 06575579 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 9590aaf9362f06241b66ca19a52c4aaee9e296f0288b9e7c5762b5a58550aef7
                                                                                                                                                              • Instruction ID: bbd3108fda7ddda260c8f957bfb6bed04512e98d6fd61c1e7df78eaa683d84df
                                                                                                                                                              • Opcode Fuzzy Hash: 9590aaf9362f06241b66ca19a52c4aaee9e296f0288b9e7c5762b5a58550aef7
                                                                                                                                                              • Instruction Fuzzy Hash: A4318C35B00210AFDB19DF34D884A5EBBB6FF8A240B508469E905CB355EF34ED45CBA0
                                                                                                                                                              Function 06575588 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 606c5d733b2db5fabbd81e951bfd8cbc32de30974308a038677c04c67dd18ea7
                                                                                                                                                              • Instruction ID: 1ad9a50c4e57c0d5d3af5d7791714e48134d0e495c4df225fc7ce3537989292e
                                                                                                                                                              • Opcode Fuzzy Hash: 606c5d733b2db5fabbd81e951bfd8cbc32de30974308a038677c04c67dd18ea7
                                                                                                                                                              • Instruction Fuzzy Hash: FF318B35B002119FDB19DF34E884A6EBBB6FF8A240B508469E905CB355EF71ED45CB90
                                                                                                                                                              Function 065787A0 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: b48667ff862fcc0320c63f6c56ca6374865c02d47a41b9b7c86fd1307161c9bb
                                                                                                                                                              • Instruction ID: 6d8a6f0cb6240168682eb956c1b086ccd1bcfad4af2fd23fec471268150f0ea1
                                                                                                                                                              • Opcode Fuzzy Hash: b48667ff862fcc0320c63f6c56ca6374865c02d47a41b9b7c86fd1307161c9bb
                                                                                                                                                              • Instruction Fuzzy Hash: 6441E271D01248DFDB54DFAAD844ADEFBF6BF88310F14842AE415AB250DB35A946CF90
                                                                                                                                                              Function 06578796 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 91959e60cc3d8f95eacd34e9081be5cf6a1b99f00560bc1b7757be48273d6ac0
                                                                                                                                                              • Instruction ID: 584329f8edee4dad154484f3ed703f16ad0b4f0d25d103fa09eff96564167ecb
                                                                                                                                                              • Opcode Fuzzy Hash: 91959e60cc3d8f95eacd34e9081be5cf6a1b99f00560bc1b7757be48273d6ac0
                                                                                                                                                              • Instruction Fuzzy Hash: 8131D4B1D012489FDB14DFAAD985ADEBFF6BF88300F14842AD415A7250DB359946CF90
                                                                                                                                                              Function 06578A98 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: e56f9a13cf3bd1f45a1ea962a123928bd44c7d9476d0f18bee9dfa3503f07c41
                                                                                                                                                              • Instruction ID: afa6e7e83125b76565b423628ac912b9ca225383623b33f0e15b1d8e54620ad8
                                                                                                                                                              • Opcode Fuzzy Hash: e56f9a13cf3bd1f45a1ea962a123928bd44c7d9476d0f18bee9dfa3503f07c41
                                                                                                                                                              • Instruction Fuzzy Hash: D031E3B1D012589FDB14CFAAD894BDEBBF5FF48310F14842AE409A7240D774A946CB94
                                                                                                                                                              Function 00DAD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2619125428.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_dad000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 4d278bb856a6cf22ff210725df06c3c7979eb39b46377c982486a9181fa8b582
                                                                                                                                                              • Instruction ID: 11e2cfe11b8b4cc944ff4a5c0de5f505a1dfc3d82c3e35f6cafd03fa9cc7ae5b
                                                                                                                                                              • Opcode Fuzzy Hash: 4d278bb856a6cf22ff210725df06c3c7979eb39b46377c982486a9181fa8b582
                                                                                                                                                              • Instruction Fuzzy Hash: 00210371500304DFDB05DF10D9C0B16BB66FB99324F24C569E80A0B656C37AE856DAB2
                                                                                                                                                              Function 00DBD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2619171331.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_dbd000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 3dc5cc232ebbe7a2afb1e56b40ff1a3580ac9508ab32af354587dcb0bbee490f
                                                                                                                                                              • Instruction ID: e7fe755c8cb6d67c6a442d0502227ba041cde1b41117a0cb1e9cdfdd756de48f
                                                                                                                                                              • Opcode Fuzzy Hash: 3dc5cc232ebbe7a2afb1e56b40ff1a3580ac9508ab32af354587dcb0bbee490f
                                                                                                                                                              • Instruction Fuzzy Hash: F8212271604300DFDB14EF10D8C0B56BB62EB88314F24C5A9E84A0B282D33AD847CA72
                                                                                                                                                              Function 06578A8C Relevance: .1, Instructions: 67COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 6de5598eaca95bc0eacb15f8620218b25c65316bedbf152276c749009a507b95
                                                                                                                                                              • Instruction ID: be49b5293a4173b278d211e87f7d1164638c8d084b6f4ccb2f5bb69b12f9ada9
                                                                                                                                                              • Opcode Fuzzy Hash: 6de5598eaca95bc0eacb15f8620218b25c65316bedbf152276c749009a507b95
                                                                                                                                                              • Instruction Fuzzy Hash: 6C21FBB1D012589FDB24CFA6D895BDEBBF9FF48310F14842AE409A7240D774A946CF60
                                                                                                                                                              Function 06575089 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 2d2311f2e85c0385998faf228193915e0795bc69b078262bddbb39744a3430f8
                                                                                                                                                              • Instruction ID: 0afe99c5914439480b37fb75088fcc6f7205d414652f4da999533fe24a454d41
                                                                                                                                                              • Opcode Fuzzy Hash: 2d2311f2e85c0385998faf228193915e0795bc69b078262bddbb39744a3430f8
                                                                                                                                                              • Instruction Fuzzy Hash: DA118276B00104ABC720DA59EC85E6BBBFAFBC8660B05C529F91DD7344DA34ED018BE0
                                                                                                                                                              Function 00DBD005 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2619171331.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_dbd000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 498b43a76fbc670a81b55669505d3b4f19f9e75056ad993cb0726f9a3436c389
                                                                                                                                                              • Instruction ID: def203e4d2190e97144ff8375106e19c8c5f07ec69779dda7d51939d65d43739
                                                                                                                                                              • Opcode Fuzzy Hash: 498b43a76fbc670a81b55669505d3b4f19f9e75056ad993cb0726f9a3436c389
                                                                                                                                                              • Instruction Fuzzy Hash: 7C218E75509380CFCB06DF20D990715BF72EB46314F28C5EAD8498B2A7C33A980ACB62
                                                                                                                                                              Function 0657BC5F Relevance: .1, Instructions: 59COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 101feb259947b6c941dda058ebbbcadc406e92e2ead23567264dacc96dfc66de
                                                                                                                                                              • Instruction ID: ed68f5368adbdc8f62dd66b95c52bdcbb9cf43fe6694e6d4fe01863f629f8334
                                                                                                                                                              • Opcode Fuzzy Hash: 101feb259947b6c941dda058ebbbcadc406e92e2ead23567264dacc96dfc66de
                                                                                                                                                              • Instruction Fuzzy Hash: B901C8302112049FC7956B7CA8649AF37A7EEC2250714852AF107CF641DEB4BEC687B6
                                                                                                                                                              Function 0657B2D9 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 18b1ddb71f7432e67cf0b17d1ee09de984da31435d234456d303940f85973e9e
                                                                                                                                                              • Instruction ID: 2e9ce6ee58beae498232f26dfed90dbfb1c8baa76a778e43e53eba861ff6b4e7
                                                                                                                                                              • Opcode Fuzzy Hash: 18b1ddb71f7432e67cf0b17d1ee09de984da31435d234456d303940f85973e9e
                                                                                                                                                              • Instruction Fuzzy Hash: 2D11963490A384AFCB02EF78E96055D7F76BF46200B1441DAE444DB257DB345F45CB61
                                                                                                                                                              Function 00DAD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2619125428.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_dad000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                                                                                                                              • Instruction ID: 656cdf870b07bd275c6663ee573eaa112bc3be084676c256a2a62afffb15ec70
                                                                                                                                                              • Opcode Fuzzy Hash: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                                                                                                                              • Instruction Fuzzy Hash: 6B112676404240CFCB05CF00D5C4B16BF72FB99324F28C6A9D80A0B656C33AE856CBA1
                                                                                                                                                              Function 0657C499 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 176a1f0ff11d53f65f8121c0ec829b78c3a25e6573efa33dc040179aeee6fc2f
                                                                                                                                                              • Instruction ID: a37b24e449cba36d30f8c025643a0a7eb45615f2d93efc6e1e50611c9222fda8
                                                                                                                                                              • Opcode Fuzzy Hash: 176a1f0ff11d53f65f8121c0ec829b78c3a25e6573efa33dc040179aeee6fc2f
                                                                                                                                                              • Instruction Fuzzy Hash: D701E5302043004FD355AF74E41465E7BB3EFCA715B10C62AE1468B645DFB49A0A8BA1
                                                                                                                                                              Function 06578350 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 7615776f8f7bd06c3e78a7b58fb67d9847fb413333b9447a541241f01ba723c0
                                                                                                                                                              • Instruction ID: cab2c5a922a4bc890d5b3fd3685a291e1855ab7007358aed7ae92f7eb871098e
                                                                                                                                                              • Opcode Fuzzy Hash: 7615776f8f7bd06c3e78a7b58fb67d9847fb413333b9447a541241f01ba723c0
                                                                                                                                                              • Instruction Fuzzy Hash: 91017C71B001199BDB50DEA9AC88AAFB7FAFB84661B14803AE605D3340EB70991587A1
                                                                                                                                                              Function 0657BC70 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 7a77fca537a49f0dbcbc5f40f19057a4e30129b4ecc6437521b0c2af0e8eb412
                                                                                                                                                              • Instruction ID: 2247c17178a1380ab457a622504b1bee274f2f6b035bcf8196ad7b969bfb10a5
                                                                                                                                                              • Opcode Fuzzy Hash: 7a77fca537a49f0dbcbc5f40f19057a4e30129b4ecc6437521b0c2af0e8eb412
                                                                                                                                                              • Instruction Fuzzy Hash: 0601B5312102058F87D9AB3CE45492E36A7EEC1290354882AF107CF640EEB4BDC687A6
                                                                                                                                                              Function 0657ACB8 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 92eb22e9609a7cfe79fb3a2051e2ae194a8ac656970e8464e6c234125dd9dc41
                                                                                                                                                              • Instruction ID: c6c8373c4baef5aea37c4bcf2fd255808792c8e5fc44a9d6a49c53669216ce17
                                                                                                                                                              • Opcode Fuzzy Hash: 92eb22e9609a7cfe79fb3a2051e2ae194a8ac656970e8464e6c234125dd9dc41
                                                                                                                                                              • Instruction Fuzzy Hash: 92F04C32709250AFC7630BE57C644EE7F6AEB8378134854AEF146C7251DA644903C7F6
                                                                                                                                                              Function 0657E8B0 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 69181e758f011ae53fced3fc60908a6ae4cab84f02e7d59500875054ccd9d327
                                                                                                                                                              • Instruction ID: d130e548bed3957a9c511f1568cf354e566fbab128f307b73ab666108bc95d48
                                                                                                                                                              • Opcode Fuzzy Hash: 69181e758f011ae53fced3fc60908a6ae4cab84f02e7d59500875054ccd9d327
                                                                                                                                                              • Instruction Fuzzy Hash: 0301D634609304DFCB16AF74D81489A3FBAEF8620071484EAE505CB362DB32DD11DB91
                                                                                                                                                              Function 06576E90 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 8ab4adca131d560d77e11e7cc708c6b405c78dfb9abe91792f26e22ff3aba3c1
                                                                                                                                                              • Instruction ID: 9ad060a9ff788fede39fa5c1805681bd0ca9b66fffdbba7d011762ab4d96e70b
                                                                                                                                                              • Opcode Fuzzy Hash: 8ab4adca131d560d77e11e7cc708c6b405c78dfb9abe91792f26e22ff3aba3c1
                                                                                                                                                              • Instruction Fuzzy Hash: DCF068671040983BCB514EDA5C51EFB3FEDDB8E151F084056FA94D1141C41DC911ABB1
                                                                                                                                                              Function 0657C4A8 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 4db4b8a4688bbb379c7e96191cbcff90f8ce59ac77616a2eeeaeec33d04ce5a4
                                                                                                                                                              • Instruction ID: a9eca59084223529a8d1521033e298ee5be2af2cfb87dbcb4010aa9501aae1a2
                                                                                                                                                              • Opcode Fuzzy Hash: 4db4b8a4688bbb379c7e96191cbcff90f8ce59ac77616a2eeeaeec33d04ce5a4
                                                                                                                                                              • Instruction Fuzzy Hash: 4E01D2302003048BD315AF65E01861ABBF3EFC9715B50CA2DE14A8B644DFB4A90A8BA1
                                                                                                                                                              Function 06575508 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: f34b4a500c52e8af9c2485bf0aa692a986176c9b8c2081775b4e802592d039fa
                                                                                                                                                              • Instruction ID: fbe01e4170e4279dfe6bc15f5cf9bd0603fcef074624a87a38d5c5136cf16761
                                                                                                                                                              • Opcode Fuzzy Hash: f34b4a500c52e8af9c2485bf0aa692a986176c9b8c2081775b4e802592d039fa
                                                                                                                                                              • Instruction Fuzzy Hash: E801D130A11302CFDBA99A35F404A23B3F7BF84209744883DE10686654FE75E484CF80
                                                                                                                                                              Function 06578F42 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 517799cc0d4afcf7905ce41280e5c9a12c6f455b175e11edb5508688b08a4377
                                                                                                                                                              • Instruction ID: e6ab0d04faa3a8c6eb8b49ffe4b4efd61e835a3b1dcd0cf7869b3be9b51057e0
                                                                                                                                                              • Opcode Fuzzy Hash: 517799cc0d4afcf7905ce41280e5c9a12c6f455b175e11edb5508688b08a4377
                                                                                                                                                              • Instruction Fuzzy Hash: 160116B4C04209EFDB44DFA4E949BAEBBB4FB09300F5044A9E815B3381D7745A41DFA5
                                                                                                                                                              Function 0657C170 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 9f940c621737a6187964de7d6a64fbe9a4c594d552b749b6fab81d1de21564ae
                                                                                                                                                              • Instruction ID: d1f6a3e7d83f41d9db1e23832e3e8b767163b1dda796bd5121705b6726cabf04
                                                                                                                                                              • Opcode Fuzzy Hash: 9f940c621737a6187964de7d6a64fbe9a4c594d552b749b6fab81d1de21564ae
                                                                                                                                                              • Instruction Fuzzy Hash: A701D131101B009FC311AF69E818592BBFBFB49300700C61BE586C6611CB30A64ACF94
                                                                                                                                                              Function 00DAD5F3 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2619125428.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_dad000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 722fdb885a76455fe1f062bf064ac5119acbcf1c8ca2384884441fcbd1e4c78d
                                                                                                                                                              • Instruction ID: 5bb75a4f3111feb6b4dfb9920993f6d7be0b689065b00038db939a5f3e809247
                                                                                                                                                              • Opcode Fuzzy Hash: 722fdb885a76455fe1f062bf064ac5119acbcf1c8ca2384884441fcbd1e4c78d
                                                                                                                                                              • Instruction Fuzzy Hash: 32F0F976200644AF9720CF0ADC84C27FBAEEBD5774719C55AE84A4BA52C671FC42CEB0
                                                                                                                                                              Function 06578F50 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 1d09db09ea09251808927a3d168b334d6ddaf6d19da25e04ea4f35ce49a981b5
                                                                                                                                                              • Instruction ID: 4683e68d53d19b568e57851d54efe827135002b66e2fe0ee9e7aa2b639d2ef78
                                                                                                                                                              • Opcode Fuzzy Hash: 1d09db09ea09251808927a3d168b334d6ddaf6d19da25e04ea4f35ce49a981b5
                                                                                                                                                              • Instruction Fuzzy Hash: 310116B4D04209EFCB44DFA8E9496AEBBF1BF49300F1084A9D414A3380E7340A40CF91
                                                                                                                                                              Function 0657ADE9 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 8efd51d368d37a0c531d6fce16906f9fea613e56b616822457818054cffafd98
                                                                                                                                                              • Instruction ID: 6afdbf8e3eba14b6e3d80039be3a3f0ef55356e1d64d787528adcd520318ad1e
                                                                                                                                                              • Opcode Fuzzy Hash: 8efd51d368d37a0c531d6fce16906f9fea613e56b616822457818054cffafd98
                                                                                                                                                              • Instruction Fuzzy Hash: E2F082312052406BC3512FAAB895ADBBFEFEBCB654B00446AF11AD3243CA65684587F6
                                                                                                                                                              Function 00DAD5E4 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2619125428.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_dad000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 9788e942d49981f3ac3294c6f2fdd74c243ce60c92816af339a0d6ca8ea21e21
                                                                                                                                                              • Instruction ID: 879266ee8e644584feba59b806de7201c0b0a869be7f45c967bb9bb8512df9ab
                                                                                                                                                              • Opcode Fuzzy Hash: 9788e942d49981f3ac3294c6f2fdd74c243ce60c92816af339a0d6ca8ea21e21
                                                                                                                                                              • Instruction Fuzzy Hash: 2BF03C75104680AFD325CF05CC84C22BFB9EF867607198489E89A4B652C635FC42CB70
                                                                                                                                                              Function 065767C8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 20d3d6b8befe97b9d1a50a8fe8932925b1f0b9d0db9a2be110682f5d69a6216a
                                                                                                                                                              • Instruction ID: 9df69dcae416fc7707b270bd6dc225c4b4d20fa56b77992db03722213f037944
                                                                                                                                                              • Opcode Fuzzy Hash: 20d3d6b8befe97b9d1a50a8fe8932925b1f0b9d0db9a2be110682f5d69a6216a
                                                                                                                                                              • Instruction Fuzzy Hash: 12F02431B507006FC7208A24EC41F527FE9EB86720F048166F214CF1E2D7B1E809DB40
                                                                                                                                                              Function 06575098 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 7eac6061fd1a4f31062330f81b1b692e370208a4a1aa4fd895bc35e6141ceed2
                                                                                                                                                              • Instruction ID: ff3eb7a17608d127dbd5b8eb6117d1f6c6cee295f48c38dccd621747f87db5a0
                                                                                                                                                              • Opcode Fuzzy Hash: 7eac6061fd1a4f31062330f81b1b692e370208a4a1aa4fd895bc35e6141ceed2
                                                                                                                                                              • Instruction Fuzzy Hash: BCF0FE35700204AFD714DB59D885D6BBBEAEFC9750B14C529F9098B345CA70EC4197E1
                                                                                                                                                              Function 0657C110 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 474aebdc9557aab05d5836fbba4cd64701656d4518ee232292892aaa9c0dfa87
                                                                                                                                                              • Instruction ID: 9f861a8dddf85f60d98896b2a0a16e33aab4809695df6197caf40245af655c54
                                                                                                                                                              • Opcode Fuzzy Hash: 474aebdc9557aab05d5836fbba4cd64701656d4518ee232292892aaa9c0dfa87
                                                                                                                                                              • Instruction Fuzzy Hash: 91F0FC301057D04FC312A728E82479B3FF7DF82214B04455AE242CF242CBA55905C7A1
                                                                                                                                                              Function 06576EA0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 1a90678b1ee5f6fb8384b26c3d97e7403f1b252403f23c947708c221ddee4d72
                                                                                                                                                              • Instruction ID: a28b2175c284645b22a7ce5fb8e30c6c66e34cbeec002778fa297b9c02ebdb48
                                                                                                                                                              • Opcode Fuzzy Hash: 1a90678b1ee5f6fb8384b26c3d97e7403f1b252403f23c947708c221ddee4d72
                                                                                                                                                              • Instruction Fuzzy Hash: F9F037762041E83F8B554E9A5C10CFB7FEDDA8E161B08415AFED8D2141C429C921ABB0
                                                                                                                                                              Function 06578341 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 650d330d99ad22ae62edd2be8409fbf83d4616d99a4bdad40abf989367e67ebd
                                                                                                                                                              • Instruction ID: 78e045723cc263d8e4844c3f077390dff56cbe56cbd22e6e60c370ed4a814576
                                                                                                                                                              • Opcode Fuzzy Hash: 650d330d99ad22ae62edd2be8409fbf83d4616d99a4bdad40abf989367e67ebd
                                                                                                                                                              • Instruction Fuzzy Hash: D1F0EC31F101155B8B50996DAC9C9BF7BFDFB851617080037E914D3240FB34981587B1
                                                                                                                                                              Function 06578FC0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 38a9427319beaa6dad581b222622deae7c24d5842711717a82c15ae155e15e91
                                                                                                                                                              • Instruction ID: fb5772a40a61a3cfb416de1c409704327920598c5650b9e8c23c42d2fa78bfe8
                                                                                                                                                              • Opcode Fuzzy Hash: 38a9427319beaa6dad581b222622deae7c24d5842711717a82c15ae155e15e91
                                                                                                                                                              • Instruction Fuzzy Hash: 9FF0A9B0C09249DFDB40CFA0E8195AEBFB0FF1A201F0041E6E802E73A1E7384A41CB41
                                                                                                                                                              Function 0657B368 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 2cade7c2d45d72fe1fec563da046bf351276857ef76c456ba23732227bd77f82
                                                                                                                                                              • Instruction ID: 9e1fd492183fd233558b740068165d2f4787bdfd0cbc091ff725cceab2883883
                                                                                                                                                              • Opcode Fuzzy Hash: 2cade7c2d45d72fe1fec563da046bf351276857ef76c456ba23732227bd77f82
                                                                                                                                                              • Instruction Fuzzy Hash: EBF03C34A01208EFCB48EFB8E455A5CBBB2FB48200B5481AAE906DB355EF305E44CF55
                                                                                                                                                              Function 065754F8 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 33e8fc69f83316313017a47398ea34cad997cda7e4b7888c521617a4a589d174
                                                                                                                                                              • Instruction ID: 64177d8f409ffc4452c6980458acb36e6147935b92f161e5bbea7d9b89560976
                                                                                                                                                              • Opcode Fuzzy Hash: 33e8fc69f83316313017a47398ea34cad997cda7e4b7888c521617a4a589d174
                                                                                                                                                              • Instruction Fuzzy Hash: 2BF0B4715007418FDBA9CE61F501B67BBB2BF80715F48886DE04646A65EE75E489CF40
                                                                                                                                                              Function 0657AC60 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: e5031caed275ac1cac20ad88ca484e98e792d1ba6d21c4b3166a7965a7ad39d6
                                                                                                                                                              • Instruction ID: 3f3884e573425ce2bf0d12b97726885ca9a769711c33fe1cf9fbb1d5d02397f2
                                                                                                                                                              • Opcode Fuzzy Hash: e5031caed275ac1cac20ad88ca484e98e792d1ba6d21c4b3166a7965a7ad39d6
                                                                                                                                                              • Instruction Fuzzy Hash: 10F082312082945FC7171B6978644DE7F6BDB86554304009BE586CB293DA540945C7EA
                                                                                                                                                              Function 0657ADF8 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 84a785186fe8f6cc36b3a87127b9ff0c1a527e7c61c7c0ef537cf1ffca51a543
                                                                                                                                                              • Instruction ID: 218f91cdda2cf53e8597749f3c2618b6ebd7bb0920c0218c4a412c8cca006c95
                                                                                                                                                              • Opcode Fuzzy Hash: 84a785186fe8f6cc36b3a87127b9ff0c1a527e7c61c7c0ef537cf1ffca51a543
                                                                                                                                                              • Instruction Fuzzy Hash: 3BE012312001006BC7546E9AB489A9F7ADFEBCA755B40452DF20ED3242DEB6684547F5
                                                                                                                                                              Function 0657C180 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: c81011f006cd8dcb935d24610672e85f92204d903e9f872191db25b32d6d5d2d
                                                                                                                                                              • Instruction ID: 812f0120f31faebb9cb4965601d333bc9d9f1d363f0e9afa8277f0c8c4b83dd9
                                                                                                                                                              • Opcode Fuzzy Hash: c81011f006cd8dcb935d24610672e85f92204d903e9f872191db25b32d6d5d2d
                                                                                                                                                              • Instruction Fuzzy Hash: 1CF09075500B018FD715DF2AE448516BBF7FB88310700C62EE94BC6A10DF70A54ACF84
                                                                                                                                                              Function 0657CC38 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 9e37e0e713d672f36b8c16f99ccedc649238d9afafd91ef3455f2e36345b8bf9
                                                                                                                                                              • Instruction ID: 5a42cbd4385418fa92d1930d09d5f254bf8d5df2966f83abbc74826b03ff6505
                                                                                                                                                              • Opcode Fuzzy Hash: 9e37e0e713d672f36b8c16f99ccedc649238d9afafd91ef3455f2e36345b8bf9
                                                                                                                                                              • Instruction Fuzzy Hash: 68E048311066545FC742EA29FC64BDA3766EB46A61B00415AE040C7647DB341E498BE2
                                                                                                                                                              Function 0657B500 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: cd618fcde6b783b58d06a85aec2f0ced0cefcc7b05e7ae68b720515718d1dc3a
                                                                                                                                                              • Instruction ID: 616e865db5c7c3836df43fde74b1b5c1916033f51e8f446ce0ab79106e4247b8
                                                                                                                                                              • Opcode Fuzzy Hash: cd618fcde6b783b58d06a85aec2f0ced0cefcc7b05e7ae68b720515718d1dc3a
                                                                                                                                                              • Instruction Fuzzy Hash: E4F01535D0020CAFCB41DFB8E9488CDBBB9EB44200F1082A6D905EA240FA315B559B90
                                                                                                                                                              Function 0657C120 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: f60c3733377eaf841f4f3b4b0e587496235a0c8ec7ea68d765d6f318734a01ba
                                                                                                                                                              • Instruction ID: d6fee7089516c4cdd8e5c6315bd7075b5f6c59b62f2007dfd5506010afc0d8dc
                                                                                                                                                              • Opcode Fuzzy Hash: f60c3733377eaf841f4f3b4b0e587496235a0c8ec7ea68d765d6f318734a01ba
                                                                                                                                                              • Instruction Fuzzy Hash: 28E065302047904FC715AB2DF41879F7BEBDF85654F04852EE246CF641DBB5AC058B96
                                                                                                                                                              Function 0657CE88 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: f425845f6b4c9818ad673fef832c65d4b416c095fa4aa3dc73d4ac95efda624f
                                                                                                                                                              • Instruction ID: 65fcce6b9b80ed559b5d0765e3824f050186c033741bc31e12286ddaa21ef64e
                                                                                                                                                              • Opcode Fuzzy Hash: f425845f6b4c9818ad673fef832c65d4b416c095fa4aa3dc73d4ac95efda624f
                                                                                                                                                              • Instruction Fuzzy Hash: C8E09270105355EFCB43AA25F955B963BA5BF02620705409AE840CB647D7348D0187A6
                                                                                                                                                              Function 06575698 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 07249a662d12c80f01a5558a0f166ab3c683644d691d86d9732c538799d4449e
                                                                                                                                                              • Instruction ID: 0b0777481ac3d138ed4e9b3c0371746f48855c6f22a4d6e8b11384479bf4fdf1
                                                                                                                                                              • Opcode Fuzzy Hash: 07249a662d12c80f01a5558a0f166ab3c683644d691d86d9732c538799d4449e
                                                                                                                                                              • Instruction Fuzzy Hash: 99E092B210C310AFD3049B60E81589B7BA4EB95221B05886EF444C7141E671E945C7A5
                                                                                                                                                              Function 0657E280 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 61fd39d9d09abde29504ce3451884204cb776528f5d37ad4f7d2e5d152aa52c6
                                                                                                                                                              • Instruction ID: df47b382838c7ec666894cf786e76fee29e44f5de13f2c6291ee73d14799012d
                                                                                                                                                              • Opcode Fuzzy Hash: 61fd39d9d09abde29504ce3451884204cb776528f5d37ad4f7d2e5d152aa52c6
                                                                                                                                                              • Instruction Fuzzy Hash: A5E0D8350057059FC701F625BC5178537A9B745B00B014049E4119B69BD7741E568BE5
                                                                                                                                                              Function 0657E1FF Relevance: .0, Instructions: 22COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 07e2b75e7088297b60dd7128462b470dfa445173648b92d75d52536a15b09862
                                                                                                                                                              • Instruction ID: 85920d10c9ce00c9827cee8c4366d0d445e4f0f331359761ba796bf8775b25ec
                                                                                                                                                              • Opcode Fuzzy Hash: 07e2b75e7088297b60dd7128462b470dfa445173648b92d75d52536a15b09862
                                                                                                                                                              • Instruction Fuzzy Hash: ACE0D871A45304EFC701CF68E801AAE3BB6DB42200F2041DBE409DB291D5704F148752
                                                                                                                                                              Function 0657E8F8 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 36d29a91d38eb21caca6d61eda6ef733b2c2ba0af57645f0016679fe922b0983
                                                                                                                                                              • Instruction ID: ea022c25b6dca35426cf300a47143c0e309f78cb7aaecad01ae3c31352409512
                                                                                                                                                              • Opcode Fuzzy Hash: 36d29a91d38eb21caca6d61eda6ef733b2c2ba0af57645f0016679fe922b0983
                                                                                                                                                              • Instruction Fuzzy Hash: 6EE01239115244AFC712AB68ED60C963F7ABF4A71030440C5F5408F273C721DA21DBB1
                                                                                                                                                              Function 0657AC80 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: c9f5542a01ac1a4e10999f3f7caced7b866bcea8675bbc5c416018211463287b
                                                                                                                                                              • Instruction ID: 58ab717ac01ab410964717d6fd3a0a24e446506983aa0a326f137bfb074db195
                                                                                                                                                              • Opcode Fuzzy Hash: c9f5542a01ac1a4e10999f3f7caced7b866bcea8675bbc5c416018211463287b
                                                                                                                                                              • Instruction Fuzzy Hash: EED05B31310115678B45276AF4584AE77ABDBC5761300552DF607D3340DF755D0147E5
                                                                                                                                                              Function 0657B510 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 6f8c75c9b6931f63e4c05d1fe08beea0e427cfb39707a13025eda5faef5c0e00
                                                                                                                                                              • Instruction ID: af1fbf40581c20dc6098a861ecbee29ca765ce0eb609606ce68c2cb02cfab3be
                                                                                                                                                              • Opcode Fuzzy Hash: 6f8c75c9b6931f63e4c05d1fe08beea0e427cfb39707a13025eda5faef5c0e00
                                                                                                                                                              • Instruction Fuzzy Hash: 15E07575D0020CEFCB40DFA4D5448DDBBB9EB48200F1082A6D905E7200EA315B559B80
                                                                                                                                                              Function 0657E210 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 52ebd2b6cc8716c493329bce65fed1038f81120506df94a874d54189e33cb8dd
                                                                                                                                                              • Instruction ID: 1db1549a6f8aaf5b92f5d1d5de02c12987253b1ef3a10735c20cd78066223f34
                                                                                                                                                              • Opcode Fuzzy Hash: 52ebd2b6cc8716c493329bce65fed1038f81120506df94a874d54189e33cb8dd
                                                                                                                                                              • Instruction Fuzzy Hash: 59D05B71A0020CFFCB40DFACE90195D77B9DB45214B1081EDD409D7241EA715F009B91
                                                                                                                                                              Function 0657F8EA Relevance: .0, Instructions: 15COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: c28e8d5137a08c5bcac4704afe2b7eb53eada8a1130b0d2b5aca31eddfb913e8
                                                                                                                                                              • Instruction ID: da078da2c7de1b191b213d594636516841551f341f2ea7e7494375cbaef384ab
                                                                                                                                                              • Opcode Fuzzy Hash: c28e8d5137a08c5bcac4704afe2b7eb53eada8a1130b0d2b5aca31eddfb913e8
                                                                                                                                                              • Instruction Fuzzy Hash: 40C080727040100B0388BA5C702006E75D7D3CD2E3385403FFA0EC7344CE708D4243A5
                                                                                                                                                              Function 06573721 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: cd48fa46a3268362b526e3dc0cf0e37ae1076830a841e7fbc65494abef5ee034
                                                                                                                                                              • Instruction ID: 10f19f6b274e26e811eed0d03512d400f5d2b64fc0498091fe7084936e66c742
                                                                                                                                                              • Opcode Fuzzy Hash: cd48fa46a3268362b526e3dc0cf0e37ae1076830a841e7fbc65494abef5ee034
                                                                                                                                                              • Instruction Fuzzy Hash: B8B092B229010077E7145100EC07FD63929D7D1B60F1A9216BA06A9585CA9EA01995B5
                                                                                                                                                              Function 0657DFD1 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000003.00000002.2621144766.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_3_2_6570000_MSBuild.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: ae9253832cb1ea34ba812ffcea737badae43d0899e97acfe5352c0fdcb9022a1
                                                                                                                                                              • Instruction ID: 7a3d05e1127be7f4aabc6c96b62811d98f42abd7b6a0a8d09f85fd26d0e26d01
                                                                                                                                                              • Opcode Fuzzy Hash: ae9253832cb1ea34ba812ffcea737badae43d0899e97acfe5352c0fdcb9022a1
                                                                                                                                                              • Instruction Fuzzy Hash: 3EC0923568E3E88EDF021BB9AC1DC003E227F82A3171641CBE241CE1A3D6620006C7B2