Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1649093
MD5:ca4a37c4e37044a6f27a300047cc41f5
SHA1:eac1104e810b8a05e9cb8900a0e4daf73ab8998c
SHA256:a55181a9277efe47ba8744273e847a42e5de4700c7f89e2e2cc12bd45f26661a
Tags:NETexeMSILuser-jstrosch
Infos:

Detection

Score:80
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
.NET source code contains very large array initializations
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Installs new ROOT certificates
Joe Sandbox ML detected suspicious sample
Overwrites Mozilla Firefox settings
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • file.exe (PID: 1992 cmdline: "C:\Users\user\Desktop\file.exe" MD5: CA4A37C4E37044A6F27A300047CC41F5)
    • MSBuild.exe (PID: 5396 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
      • cmd.exe (PID: 2312 cmdline: "cmd.exe" /C timeout 1 && del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)
        • timeout.exe (PID: 2864 cmdline: timeout 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: file.exeVirustotal: Detection: 15%Perma Link
Source: Submited SampleNeural Call Log Analysis: 98.5%
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: d:\build\ob\bora-21004615\cayman_pcre\pcre\src\build-VS2017\Release\pcre.pdb source: file.exe
Source: Binary string: D:\build\ob\bora-18521611\bora\build\build\LIBRARIES\sysimgbase\win32\release\sysimgbase.pdb\ source: file.exe
Source: Binary string: d:\build\ob\bora-16930445\cayman_libsigcpp2\libsigcpp2\src\MSVC_Net2015\Win32\Release\sigc-2.0.pdb source: file.exe
Source: Binary string: wntdll.pdbUGP source: file.exe, 00000001.00000002.1631698740.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: d:\build\ob\bora-16930445\cayman_libsigcpp2\libsigcpp2\src\MSVC_Net2015\Win32\Release\sigc-2.0.pdb## source: file.exe
Source: Binary string: wntdll.pdb source: file.exe, 00000001.00000002.1631698740.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\build\ob\bora-18521611\bora\build\build\LIBRARIES\sysimgbase\win32\release\sysimgbase.pdb source: file.exe
Source: Binary string: d:\build\ob\bora-21004615\cayman_pcre\pcre\src\build-VS2017\Release\pcre.pdb** source: file.exe
Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknownTCP traffic detected without corresponding DNS query: 184.86.251.5
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 20.42.72.131
Source: unknownTCP traffic detected without corresponding DNS query: 20.42.72.131
Source: unknownTCP traffic detected without corresponding DNS query: 20.42.72.131
Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknownTCP traffic detected without corresponding DNS query: 184.86.251.5
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 20.42.72.131
Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknownTCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 20.42.72.131
Source: unknownTCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 20.42.72.131
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 20.42.72.131
Source: unknownTCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global trafficHTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global trafficDNS traffic detected: DNS query: c.pki.goog
Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exeString found in binary or memory: http://ccodearchive.net/
Source: file.exeString found in binary or memory: http://creativecommons.org/licenses/publicdomain.
Source: file.exeString found in binary or memory: http://creativecommons.org/publicdomain/zero/1.0/
Source: file.exeString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: file.exeString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: file.exeString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.exeString found in binary or memory: http://hdl.handle.net/1895.22/1013
Source: file.exeString found in binary or memory: http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html
Source: file.exeString found in binary or memory: http://invisible-island.net/ncurses/ncurses-examples.html
Source: file.exeString found in binary or memory: http://jquery.com/
Source: file.exeString found in binary or memory: http://jquery.org/license
Source: file.exeString found in binary or memory: http://mail.gnome.org/archives/gtk-devel-list/2001-October/msg00087.html
Source: file.exeString found in binary or memory: http://ocsp.digicert.com0
Source: file.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: file.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: file.exeString found in binary or memory: http://ocsp.digicert.com0X
Source: file.exeString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: file.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: file.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: file.exeString found in binary or memory: http://opensource.org/licenses/ms-rl
Source: file.exeString found in binary or memory: http://openwall.info/wiki/people/solar/software/public-domain-source-code/md5
Source: file.exeString found in binary or memory: http://pcre.org/
Source: file.exeString found in binary or memory: http://purl.oclc.org/dsdl/schematron
Source: file.exeString found in binary or memory: http://purl.oclc.org/dsdl/schematronhttp://www.ascc.net/xml/schematronFailed
Source: file.exeString found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: file.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: file.exeString found in binary or memory: http://sizzlejs.com/
Source: file.exeString found in binary or memory: http://tools.ietf.org/html/rfc1950
Source: file.exeString found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: file.exeString found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license1.pdf
Source: file.exeString found in binary or memory: http://www.apache.org/licenses/LICENSE
Source: file.exeString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: file.exeString found in binary or memory: http://www.ascc.net/xml/schematron
Source: file.exeString found in binary or memory: http://www.bis.doc.gov/.
Source: file.exeString found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/
Source: file.exeString found in binary or memory: http://www.cnri.reston.va.us)
Source: file.exeString found in binary or memory: http://www.cwi.nl)
Source: file.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: file.exeString found in binary or memory: http://www.freetype.org)
Source: file.exeString found in binary or memory: http://www.fsf.org
Source: file.exeString found in binary or memory: http://www.gnu.org/licenses/
Source: file.exeString found in binary or memory: http://www.levien.com/gdkrgb/
Source: file.exeString found in binary or memory: http://www.mico.org/
Source: file.exeString found in binary or memory: http://www.mozilla.org/MPL/
Source: file.exeString found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
Source: file.exeString found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD
Source: file.exeString found in binary or memory: http://www.openismus.com/
Source: file.exeString found in binary or memory: http://www.opensource.org
Source: file.exeString found in binary or memory: http://www.openssl.org/)
Source: file.exeString found in binary or memory: http://www.pythonlabs.com/logos.html
Source: file.exeString found in binary or memory: http://www.pythonware.com
Source: file.exeString found in binary or memory: http://www.vmware.com/0/
Source: file.exeString found in binary or memory: http://www.vmware.com/download/open_source.html
Source: file.exeString found in binary or memory: http://www.xiph.org/
Source: file.exeString found in binary or memory: http://www.zope.com/Marks).
Source: MSBuild.exe, 00000002.00000002.1689809314.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=16965131449
Source: MSBuild.exe, 00000002.00000002.1689809314.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1689809314.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, prefs.js.2.drString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696513144932.12791&key=1696513144400700
Source: MSBuild.exe, 00000002.00000002.1689809314.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1689809314.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, prefs.js.2.drString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696513144932.12791&key=1696513144400700003.1&cta
Source: MSBuild.exe, 00000002.00000002.1689809314.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1689809314.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, prefs.js.2.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: MSBuild.exe, 00000002.00000002.1689809314.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1689809314.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, prefs.js.2.drString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: file.exeString found in binary or memory: https://cs.chromium.org/chromium/src/LICENSE
Source: file.exeString found in binary or memory: https://datatracker.ietf.org/ipr/1524/
Source: file.exeString found in binary or memory: https://datatracker.ietf.org/ipr/1526/
Source: file.exeString found in binary or memory: https://datatracker.ietf.org/ipr/1914/
Source: file.exeString found in binary or memory: https://github.com/kiyolee/pcre-win-build/
Source: file.exeString found in binary or memory: https://gitlab.gnome.org/GNOME/libxml2D
Source: prefs.js.2.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4ClZfC2k4pbW4ZbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: MSBuild.exe, 00000002.00000002.1689809314.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1689809314.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, prefs.js.2.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_b07fa4138d6cee96061521c23bb7cd6608bee0c31ef2bfdc
Source: MSBuild.exe, 00000002.00000002.1689809314.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1689809314.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, prefs.js.2.drString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: file.exeString found in binary or memory: https://www.globalsign.com/repository/0
Source: file.exeString found in binary or memory: https://www.gnu.org/licenses/
Source: file.exeString found in binary or memory: https://www.openssl.org/source/license.html
Source: file.exeString found in binary or memory: https://www.python.org/psf/)
Source: file.exeString found in binary or memory: https://www.qt.io/licensing/
Source: file.exeString found in binary or memory: https://www.ribose.com).
Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\AppData\Local\Temp\TmpB237.tmpJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\AppData\Local\Temp\TmpB1F8.tmpJump to dropped file

System Summary

barindex
Source: file.exe, a.csLarge array initialization: Main: array initializer size 32768
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FB56D0 NtAllocateVirtualMemory,1_2_00FB56D0
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FB5438 NtReadVirtualMemory,1_2_00FB5438
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FB5808 NtWriteVirtualMemory,1_2_00FB5808
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FB5958 NtResumeThread,1_2_00FB5958
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FB5318 NtSetContextThread,1_2_00FB5318
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FB56C8 NtAllocateVirtualMemory,1_2_00FB56C8
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FB5430 NtReadVirtualMemory,1_2_00FB5430
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FB5803 NtWriteVirtualMemory,1_2_00FB5803
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FB5950 NtResumeThread,1_2_00FB5950
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FB5310 NtSetContextThread,1_2_00FB5310
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FB302D1_2_00FB302D
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FB1A101_2_00FB1A10
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FB47171_2_00FB4717
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FB30871_2_00FB3087
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FB1A031_2_00FB1A03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00F3DB102_2_00F3DB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_059C04102_2_059C0410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_059C5C882_2_059C5C88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_059C0C382_2_059C0C38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_059C46402_2_059C4640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_059C0C282_2_059C0C28
Source: file.exe, 00000001.00000002.1631141051.0000000000FEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000001.00000000.1627302149.00000000007E0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUI.Pipeline.exe0 vs file.exe
Source: file.exe, 00000001.00000000.1628419204.0000000000810000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameGlossina.exe@ vs file.exe
Source: file.exe, 00000001.00000000.1627302149.0000000000646000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelibpcre.dll* vs file.exe
Source: file.exe, 00000001.00000000.1627302149.0000000000646000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesigc-2.0.dll4 vs file.exe
Source: file.exe, 00000001.00000002.1631495575.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUI.Pipeline.exe0 vs file.exe
Source: file.exe, 00000001.00000000.1627302149.00000000002F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelibxml2.dll0 vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamelibxml2.dll0 vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamelibpcre.dll* vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamesigc-2.0.dll4 vs file.exe
Source: file.exeBinary or memory string: OriginalFilenameUI.Pipeline.exe0 vs file.exe
Source: file.exeBinary or memory string: OriginalFilenameGlossina.exe@ vs file.exe
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal80.phis.spyw.evad.winEXE@8/7@2/0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2620:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\AppData\Local\Temp\TmpB1F8.tmpJump to behavior
Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.69%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeVirustotal: Detection: 15%
Source: file.exeString found in binary or memory: curl-7.70.0/install-sh
Source: file.exeString found in binary or memory: tiff-4.1.0/contrib/addtiffo/addtiffo.c
Source: file.exeString found in binary or memory: tiff-4.1.0/contrib/addtiffo/tif_overview.c
Source: file.exeString found in binary or memory: tiff-4.1.0/contrib/addtiffo/tif_ovrcache.c
Source: file.exeString found in binary or memory: tiff-4.1.0/contrib/addtiffo/tif_ovrcache.h
Source: file.exeString found in binary or memory: tiff-4.1.0/contrib/addtiffo/Makefile.in
Source: file.exeString found in binary or memory: tiff-4.1.0/contrib/addtiffo/Makefile.am
Source: file.exeString found in binary or memory: tiff-4.1.0/contrib/addtiffo/CMakeLists.txt
Source: file.exeString found in binary or memory: tiff-4.1.0/config/install-sh
Source: file.exeString found in binary or memory: openssl-1.1.1h/util/add-depends.pl
Source: file.exeString found in binary or memory: pcre-8.44/INSTALL
Source: file.exeString found in binary or memory: pcre-8.44/install-sh
Source: file.exeString found in binary or memory: [VMWARE DOES NOT DISTRIBUTE SUB-COMPONENT DOC-INSTALL.PL]
Source: file.exeString found in binary or memory: atkmm-2.22.7.tar.xz\atkmm-2.22.7.tar\atkmm-2.22.7\doc\doc-install.pl
Source: file.exeString found in binary or memory: pulseaudio-0.9.22.tar.gz\pulseaudio-0.9.22.tar\pulseaudio-0.9.22\src\modules\bluetooth\proximity-helper.c
Source: file.exeString found in binary or memory: librsvg-2.40.21/INSTALL
Source: file.exeString found in binary or memory: librsvg-2.40.21/install-sh
Source: file.exeString found in binary or memory: ISO_6937-2-add
Source: file.exeString found in binary or memory: NATS-SEFI-ADD
Source: file.exeString found in binary or memory: NATS-DANO-ADD
Source: file.exeString found in binary or memory: JIS_C6229-1984-b-add
Source: file.exeString found in binary or memory: jp-ocr-b-add
Source: file.exeString found in binary or memory: JIS_C6229-1984-hand-add
Source: file.exeString found in binary or memory: jp-ocr-hand-add
Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C timeout 1 && del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C timeout 1 && del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1Jump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: esdsip.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptprov.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
Source: Google Chrome.lnk.2.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
Source: Google Chrome.lnk0.2.drLNK file: ..\..\..\..\..\..\..\Program Files (x86)\Google\Chrome\Application\chrome.exe
Source: Microsoft Edge.lnk.2.drLNK file: ..\..\..\..\..\..\..\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Source: Google Chrome.lnk1.2.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\Google\Chrome\Application\chrome.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: file.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: file.exeStatic file information: File size 5363712 > 1048576
Source: file.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x51cc00
Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: d:\build\ob\bora-21004615\cayman_pcre\pcre\src\build-VS2017\Release\pcre.pdb source: file.exe
Source: Binary string: D:\build\ob\bora-18521611\bora\build\build\LIBRARIES\sysimgbase\win32\release\sysimgbase.pdb\ source: file.exe
Source: Binary string: d:\build\ob\bora-16930445\cayman_libsigcpp2\libsigcpp2\src\MSVC_Net2015\Win32\Release\sigc-2.0.pdb source: file.exe
Source: Binary string: wntdll.pdbUGP source: file.exe, 00000001.00000002.1631698740.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: d:\build\ob\bora-16930445\cayman_libsigcpp2\libsigcpp2\src\MSVC_Net2015\Win32\Release\sigc-2.0.pdb## source: file.exe
Source: Binary string: wntdll.pdb source: file.exe, 00000001.00000002.1631698740.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\build\ob\bora-18521611\bora\build\build\LIBRARIES\sysimgbase\win32\release\sysimgbase.pdb source: file.exe
Source: Binary string: d:\build\ob\bora-21004615\cayman_pcre\pcre\src\build-VS2017\Release\pcre.pdb** source: file.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00F33348 pushfd ; iretd 2_2_00F33369

Persistence and Installation Behavior

barindex
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BFC5FBF042F25A0BCAF8B7C2544DA203DF898B12 BlobJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: F70000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 2AC0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4AC0000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: F30000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2A20000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 4A20000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5360Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2012Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exeBinary or memory string: [VMware does not distribute this component 15-test_mp_rsa.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component ec_mult.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component e_afalg.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component dhtest.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component 02-test_stack.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component idea_local.h]
Source: file.exeBinary or memory string: [VMWARE DOES NOT DISTRIBUTE SUB-COMPONENT LIBFFI.EXP]
Source: file.exeBinary or memory string: [VMware does not distribute this component tasn_dec.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component tls13secretstest.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component sljitNativePPC_common.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component pk7_smime.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component 70-test_sslextension.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component uid.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component armcap.c]
Source: file.exeBinary or memory string: VMWARE_B2B
Source: file.exeBinary or memory string: [VMware does not distribute this component main.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component tserr.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component asn1_encode_test.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component RSA_public_encrypt.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component req.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component seed_cbc.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component ec_curve.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component x509_internal_test.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component ssl_asn1.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component a_d2i_fp.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component a_time.c]
Source: file.exeBinary or memory string: @&!*@*@(msg.foundryErrMsgId.VIX_E_MNTAPI_CANT_MAKE_VAR_DIR)Cannot create directory '/var/run/vmware/fuse'
Source: file.exeBinary or memory string: [VMware does not distribute this component obj_lib.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component SSL_CTX_set_record_padding_callback.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component o2i_SCT_LIST.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component ec_check.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component objectserr.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component 99-test_ecstress.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component e_capi.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component EVP_PKEY_CTX_set_tls1_prf_md.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component mkdef.pl]
Source: file.exeBinary or memory string: [VMware does not distribute this component SSL_CTX_set_cert_verify_callback.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component bn-c64xplus.asm]
Source: file.exeBinary or memory string: [VMware does not distribute this component modes.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component dsa_prn.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component pmeth_gn.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component rsa_lib.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component rsa_sign.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component bioerr.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component 80-test_ssl_old.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component ssl_init.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component pcre_jit_test.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component 90-test_srp.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component s390x.S]
Source: file.exeBinary or memory string: [VMware does not distribute this component passwd.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component rdcolmap.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component tb_pkmeth.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component SSL_get_peer_certificate.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component libpng-1.6.37.tar.gz\libpng-1.6.37.tar\libpng-1.6.37\contrib\oss-fuzz\libpng_read_fuzzer.cc]
Source: file.exeBinary or memory string: VMware, Inc.1!0
Source: file.exeBinary or memory string: [VMware does not distribute this component e_afalg.txt]
Source: file.exeBinary or memory string: [VMware does not distribute this component v3_asid.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component cms_asn1.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component bss_log.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component driver.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component X509_NAME_get_index_by_NID.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component cipher_overhead_test.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component RIPEMD160_Init.pod]
Source: file.exeBinary or memory string: <VMWARE-NULL>
Source: file.exeBinary or memory string: [VMware does not distribute this component README.ijg]
Source: file.exeBinary or memory string: [VMware does not distribute this component uplink-x86.pl]
Source: file.exeBinary or memory string: [VMware does not distribute this component 30-test_evp_extra.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component RAND_DRBG_get0_master.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component rc2cfb64.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component rc5cfb64.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component DTLS_get_data_mtu.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component SSL_CONF_CTX_set_ssl_ctx.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component ssl.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component scrypt.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component d1_lib.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component sha512.c]
Source: file.exeBinary or memory string: @&!*@*@(msg.gostable8.guest.vmware-photon-64)VMware Photon OS 64-bit
Source: file.exeBinary or memory string: [VMware does not distribute this component 03-test_internal_modes.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component 17-renegotiate.conf.in]
Source: file.exeBinary or memory string: [VMware does not distribute this component pcre16_config.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component mem_dbg.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component 05-test_hmac.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component f_impl.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component SSL_get_peer_signature_nid.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component Makefile.in]
Source: file.exeBinary or memory string: http://Failed to create socket to connect to vmware-authd (error %d).127.0.0.1Failed to connect to socket to vmware-authd (error %d).tlocalconnectlocalconnect%s message failed: %s%s message-send failed to send required bytes (sent:%d required:%d)Failed to read response to %s message: %sERRORFailed to read vmware-authd port number: %sTLOCALCONNECT%d %nMalformed response "%s"LOCALCONNECTUnknown response "%s"CnxAuthdConnectPipe%s: CreateFileW failed with ERROR_PIPE_BUSY
Source: file.exeBinary or memory string: [VMware does not distribute this component ssl_utst.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component dso_vms.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component vms_rms.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component BN_num_bytes.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component EVP_blake2b512.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component ts_local.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component srp.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component ecdh_kdf.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component ar-lib]
Source: file.exeBinary or memory string: [VMware does not distribute this component mkbuildinf.pl]
Source: file.exeBinary or memory string: [VMware does not distribute this component jfdctflt.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component aria.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component 05-sni.conf.in]
Source: file.exeBinary or memory string: [VMware does not distribute this component md5cmp.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component field.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component LICENCE]
Source: file.exeBinary or memory string: [VMware does not distribute this component v3_addr.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component pcre_newline.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component x509_att.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component m_sha3.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component pcre32_utf32_utils.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component tjbench.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component ripemd.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component srp_vfy.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component conf_include_test.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component bss_bio.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component evp_asn1.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component dsa_no_digest_size_test.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component asynctest.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component 13-fragmentation.conf.in]
Source: file.exeBinary or memory string: [VMware does not distribute this component 80-test_cipherbytes.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component 15-certstatus.conf.in]
Source: file.exeBinary or memory string: [VMware does not distribute this component sm4.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component SSL_CTX_free.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component kdf.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component e_dasync_err.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component BN_rand.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component SSL_get_current_cipher.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component poly1305_ameth.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component ssl_test_ctx_test.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component 02-protocol-version.conf.in]
Source: file.exeBinary or memory string: [VMware does not distribute this component seed_ecb.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component ocsp_lib.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component f_int.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component b_print.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component rsa_pss.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component openssl.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component des_local.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component p12_add.c]
Source: file.exeBinary or memory string: clinuxPreGlibc25.isolinux.isodarwinPre15.isodarwin.isofreebsd.isowindows.isonetware.isowinPre2k.isosolaris.isowinPreVista.isoamazonlinuxarm-debianarm-Fedoraarm-freeBSDarm-otherarm-other5xlinuxarm-other6xlinuxarm-rhelarm-ubuntuarm-vmkernelarm-vmware-photonarm-windowsasianuxcoreosCRXPodCRXSysdebianflatcarlinuxMintnldnt4oesopenserveros2experimentalrhelunixwarevmware-photonwhistlerwin2000windows2019srvwindows2019srvNextwindows2022srvNextwindows7Server64Guestwindows7srvwindows8srvwindows9srvwinLonghorn64GuestwinLonghornGuestwinServer2008ClusterwinServer2008DatacenterwinServer2008DatacenterCorewinServer2008EnterprisewinServer2008EnterpriseCorewinServer2008SmallBusinesswinServer2008SmallBusinessPremiumwinServer2008StandardwinServer2008StandardCorewinServer2008WebwinVista
Source: file.exeBinary or memory string: [VMware does not distribute this component PEM_write_bio_PKCS7_stream.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component cb.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component PKCS7_sign_add_signer.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component e_null.c]
Source: file.exeBinary or memory string: [PURSUANT TO THE LICENSE TERMS FOR LIBPAM-0.99.3.0, VMWARE IS ELECTING TO
Source: file.exeBinary or memory string: [VMware does not distribute this component objxref.pl]
Source: file.exeBinary or memory string: [VMware does not distribute this component 06-sni-ticket.conf.in]
Source: file.exeBinary or memory string: [VMware does not distribute this component find-unused-errs]
Source: file.exeBinary or memory string: [VMware does not distribute this component dsa_gen.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component pkcs7err.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component RAND_egd.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component pcbc_enc.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component tb_rsa.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component config.guess]
Source: file.exeBinary or memory string: [VMware does not distribute this component a_digest.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component testutil_init.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component vms_decc_init.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component cryptlib.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component bss_file.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component ocspapitest.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component rand_drbg.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component pcre_fullinfo.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component OSSL_STORE_INFO.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component v3_pcons.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component e_old.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component dso_openssl.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component sslbuffertest.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component 02-test_internal_ctype.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component X509_cmp.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component f_impl.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component su-filter.pl]
Source: file.exeBinary or memory string: [VMware does not distribute this component symhacks.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component packeted_bio.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component e_rc4.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component x509_meth.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component 80-test_cms.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component i_ofb64.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component evp_test.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component pcre_study.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component c_ofb64.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component missing]
Source: file.exeBinary or memory string: [VMware does not distribute this component pcre16_string_utils.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component 05-test_md2.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component SSL_CTX_load_verify_locations.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component README.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component safestack.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component 80-test_pkcs12.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component s3_msg.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component lhash.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component BN_CTX_new.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component dsa_ameth.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component bio_cb.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component pcre_printint.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component ssl_cert.c]
Source: file.exeBinary or memory string: VMware HiddenVMware ReservedDEVCREAT: Partition type mismatch
Source: file.exeBinary or memory string: [VMware does not distribute this component ui_util.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component x_int64.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component sm4.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component buffererr.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component SSL_CONF_CTX_set_flags.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component jdcolor-mmi.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component bftest.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component spkac.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component jfdctfst-altivec.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component store_strings.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component ct_local.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component 70-test_tls13kexmodes.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component rmd_local.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component cfb64enc.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component EVP_cast5_cbc.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component p12_sbag.c]
Source: file.exeBinary or memory string: VMWARE_CFG_DIR
Source: file.exeBinary or memory string: [VMware does not distribute this component EVP_PKEY_print_private.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component x509_obj.c]
Source: file.exeBinary or memory string: http://www.vmware.com/0/
Source: file.exeBinary or memory string: [VMware does not distribute this component pkwrite.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component pk7_lib.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component by_dir.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component EVP_idea_cbc.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component conf_mall.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component md32_common.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component sljitNativeMIPS_common.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component ui_null.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component pcre_globals.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component c_allc.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component bn_exp2.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component sha.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component v3nametest.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component client.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component generate_ssl_tests.pl]
Source: file.exeBinary or memory string: [VMware does not distribute this component conf_ssl.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component cryptlib.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component e_dasync_err.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component BIO_meth_new.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component SSL_CTX_set_cert_cb.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component 10-test_bn.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component ocsp_asn.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component ts_rsp_utils.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component rsaz-x86_64.pl]
Source: file.exeBinary or memory string: [VMware does not distribute this component checkhandshake.pm]
Source: file.exeBinary or memory string: [VMware does not distribute this component TJTransformer.java]
Source: file.exeBinary or memory string: [VMware does not distribute this component EVP_PKEY_cmp.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component base.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component cms_pwri.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component p5_scrypt.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component ct.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component PEM_read_bio_ex.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component bn_rand.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component rc5.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component v3_sxnet.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component statem_local.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component __DECC_INCLUDE_EPILOGUE.H]
Source: file.exeBinary or memory string: [VMware does not distribute this component cms_local.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component conf_api.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component p12_local.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component SSL_rstate_string.pod]
Source: file.exeBinary or memory string: @&!*@*@(msg.foundryErrMsgId.VIX_E_TOOLS_NOT_RUNNING)VMware Tools are not running in the guest
Source: file.exeBinary or memory string: [VMware does not distribute this component 70-test_verify_extra.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component rsa_test.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component evp_test.h]
Source: file.exeBinary or memory string: noreply@vmware.com0
Source: file.exeBinary or memory string: [VMware does not distribute this component SSL_CTX_set1_sigalgs.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component errtest.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component d2i_SSL_SESSION.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component ASN1_STRING_TABLE_add.pod]
Source: file.exeBinary or memory string: vmware
Source: file.exeBinary or memory string: [VMware does not distribute this component sljitNativeSPARC_32.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component jfdctint-altivec.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component f_string.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component BN_copy.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component ecp_nistputil.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component 90-test_shlibload.t]
Source: file.exeBinary or memory string: [VMWARE DOES NOT DISTRIBUTE SUB-COMPONENT CJK_TAB_TO_H.C]
Source: file.exeBinary or memory string: [VMware does not distribute this component 03-test_internal_curve448.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component crypto.pod]
Source: file.exeBinary or memory string: @&!*@*@(msg.foundryErrMsgId.VIX_E_TOOLS_INSTALL_IMAGE_COPY_FAILED)Could not copy VMware Tools image to the guest operating system
Source: file.exeBinary or memory string: [VMware does not distribute this component 70-test_wpacket.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component CMS_get0_type.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component sparccpuid.S]
Source: file.exeBinary or memory string: [VMware does not distribute this component curve448_tables.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component ectest.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component DSA_new.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component err.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component cmll-x86.pl]
Source: file.exeBinary or memory string: [VMware does not distribute this component rc4_skey.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component expat-2.2.9.tar.gz\expat-2.2.9.tar\expat-2.2.9\doc\xmlwf.xml]
Source: file.exeBinary or memory string: [VMware does not distribute this component test_test.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component dsa_sign.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component 10-test_exp.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component sha1_one.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component 25-test_crl.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component v3_cpols.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component 20-test_enc.t]
Source: file.exeBinary or memory string: vmware64-core
Source: file.exeBinary or memory string: [VMware does not distribute this component dh_lib.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component x_sig.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component digest.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component e_des.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component v3_prn.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component lhash.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component EVP_PKEY_sign.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component conf_api.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component bntests.pl]
Source: file.exeBinary or memory string: [VMware does not distribute this component x_x509.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component danetest.in]
Source: file.exeBinary or memory string: [VMware does not distribute this component 05-test_rand.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component 90-test_threads.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component RSA_sign_ASN1_OCTET_STRING.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component Certificate.pm]
Source: file.exeBinary or memory string: [VMware does not distribute this component ERR_load_strings.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component dtlsv1listentest.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component 25-test_x509.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component bio.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component output.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component process_docs.pl]
Source: file.exeBinary or memory string: [VMware does not distribute this component dsa_meth.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component pcre_visibility.m4]
Source: file.exeBinary or memory string: [VMware does not distribute this component 90-test_sslbuffers.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component EVP_PKEY_verify.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component jsimd_neon.S]
Source: file.exeBinary or memory string: [VMware does not distribute this component enc.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component threads_pthread.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component 05-test_cast.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component CTLOG_STORE_new.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component tb_cipher.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component jsimdext.inc]
Source: file.exeBinary or memory string: [VMware does not distribute this component err.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component dso_lib.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component version.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component OBJ_nid2obj.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component p12_crpt.c]
Source: file.exeBinary or memory string: [NOTE: VMWARE, INC. ELECTS TO USE AND DISTRIBUTE THIS SUBPACKAGE UNDER THE TERMS OF THE BSD-3 LICENSE, THE TEXT OF WHICH IS SET FORTH BELOW. THE ORIGINAL LICENSE TERMS ARE REPRODUCED BELOW ONLY AS A REFERENCE.]
Source: file.exeBinary or memory string: [VMware does not distribute this component CertificateVerify.pm]
Source: file.exeBinary or memory string: [VMware does not distribute this component x509v3.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component 03-test_exdata.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component nseq.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component p_open.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component pcre16_refcount.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component pem_oth.c]
Source: file.exeBinary or memory string: vmware-authd version (%s) does not match that of client (%u.%u)
Source: file.exeBinary or memory string: [VMware does not distribute this component rc5_enc.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component poly1305.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component DSA_sign.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component eck_prn.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component 90-test_tls13secrets.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component mem.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component cms_ess.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component refcount.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component ocsp_ht.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component rc2_local.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component ocsp_ext.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component SCT_print.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component ct.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component evp_enc.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component bf_local.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component des.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component md4.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component 03-custom_verify.conf.in]
Source: file.exeBinary or memory string: [VMware does not distribute this component 90-test_constant_time.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component 15-test_rsapss.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component sparcv8plus.S]
Source: file.exeBinary or memory string: [VMware does not distribute this component SSL_get_client_random.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component str2key.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component 04-test_asn1_string_table.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component SSL_session_reused.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component format_output.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component i_cfb64.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component EVP_BytesToKey.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component cms.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component SCT_new.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component store_local.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component SSL_CTX_set_tlsext_use_srtp.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component copy.pl]
Source: file.exeBinary or memory string: [VMware does not distribute this component ServerKeyExchange.pm]
Source: file.exeBinary or memory string: [VMWARE DOES NOT DISTRIBUTE SUB-COMPONENT LIBTOOL-LDFLAGS]
Source: file.exeBinary or memory string: [VMware does not distribute this component pkcs7.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component blake2_local.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component pcre16_maketables.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component DSA_do_sign.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component p12_p8d.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component 95-test_external_boringssl.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component e_ossltest.txt]
Source: file.exeBinary or memory string: [VMware does not distribute this component RSA_sign.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component e_capi.txt]
Source: file.exeBinary or memory string: [VMware does not distribute this component DH_size.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component x_val.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component ocsperr.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component ct_test.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component crl2p7.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component bio_ok.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component store_init.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component ecp_nist.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component pcre_ord2utf8.c]
Source: file.exeBinary or memory string: [VMWARE DOES NOT DISTRIBUTE THE SUB-COMPONENT LICENSED UNDER GPL 2.0]
Source: file.exeBinary or memory string: VMware Hidden
Source: file.exeBinary or memory string: [VMware does not distribute this component X509_new.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component X509_SIG_get0.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component bn_err.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component ecp_mont.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component CA.pl.in]
Source: file.exeBinary or memory string: [VMware does not distribute this component rdrand_sanitytest.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component pcre32_version.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component pem_sign.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component ui_local.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component 15-test_ecparam.t]
Source: file.exeBinary or memory string: by sending a request, with your name and address to: VMware, Inc., 3401
Source: file.exeBinary or memory string: [VMware does not distribute this component libpng-1.6.37.tar.gz\libpng-1.6.37.tar\libpng-1.6.37\contrib\gregbook\LICENSE]
Source: file.exeBinary or memory string: [VMware does not distribute this component configure]
Source: file.exeBinary or memory string: [VMware does not distribute this component passwd.pod]
Source: file.exeBinary or memory string: [VMWARE DOES NOT DISTRIBUTE THE SUB COMPONENT LICENSED UNDER GPL2.0]
Source: file.exeBinary or memory string: [VMware does not distribute this component SSL_CTX_set_ct_validation_callback.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component ecp_oct.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component LPdir_win32.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component pem_info.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component s_apps.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component 70-test_sslsignature.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component SCT_validate.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component bn_shift.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component bio_meth.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component pcre.h.in]
Source: file.exeBinary or memory string: [VMware does not distribute this component dh_rfc5114.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component evp_cnf.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component m_md4.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component ossl_shim.cc]
Source: file.exeBinary or memory string: [VMware does not distribute this component jquanti-mmi.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component SSL_SESSION_get0_peer.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component aes_ecb.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component dsaerr.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component DSA_generate_parameters.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component opt.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component eng_devcrypto.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component proxy-certificates.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component nsseq.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component list.pod]
Source: file.exeBinary or memory string: [NOTE: VMWARE, INC. ELECTS TO USE AND DISTRIBUTE THIS SUBPACKAGE UNDER THE TERMS OF THE BSD-4 LICENSE, THE TEXT OF WHICH IS SET FORTH BELOW. THE ORIGINAL LICENSE TERMS ARE REPRODUCED BELOW ONLY AS A REFERENCE.]
Source: file.exeBinary or memory string: [VMware does not distribute this component stack_test.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component conf_sap.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component dh_meth.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component evp_pkey.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component enginetest.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component testutil.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component ec.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component bnshift.txt]
Source: file.exeBinary or memory string: [VMware does not distribute this component errstr.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component ocsp.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component rc5ofb64.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component eng_openssl.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component SSL_SESSION_get_protocol_version.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component sha_local.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component ec_key.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component SSL_CTX_set_ex_data.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component pcre16_byte_order.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component NewSessionTicket.pm]
Source: file.exeBinary or memory string: [VMware does not distribute this component RAND_DRBG_reseed.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component pcre_string_utils.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component DSA_meth_new.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component s_server.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component 03-test_internal_chacha.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component protocol_version.pm]
Source: file.exeBinary or memory string: [VMware does not distribute this component pkcs7.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component s3_enc.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component tls13ccstest.c]
Source: file.exeBinary or memory string: vmware-photon
Source: file.exeBinary or memory string: [VMware does not distribute this component hm_ameth.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component 80-test_ssl_test_ctx.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component EVP_mdc2.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component bn.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component PKCS12_parse.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component PEM_read_CMS.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component BIO_s_socket.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component 30-test_evp.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component bn_add.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component x509_dup_cert_test.c]
Source: file.exeBinary or memory string: [VMWARE DOES NOT DISTRIBUTE THE SUB-COMPONENT LICENSED UNDER LGPL 2.1]
Source: file.exeBinary or memory string: @&!*@*@(msg.foundryErrMsgId.VIX_E_TOOLS_INSTALL_IMAGE_INACCESIBLE)The VMware Tools image is inaccessible
Source: file.exeBinary or memory string: [VMware does not distribute this component chacha_enc.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component ax_pthread.m4]
Source: file.exeBinary or memory string: [VMware does not distribute this component eng_local.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component smime.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component LPdir_unix.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component rand_key.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component e_padlock-x86_64.pl]
Source: file.exeBinary or memory string: [VMware does not distribute this component d2i_test.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component pcregexp.pas]
Source: file.exeBinary or memory string: [VMware does not distribute this component BIO_printf.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component with_fallback.pm]
Source: file.exeBinary or memory string: [VMware does not distribute this component txt_db.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component bndiv.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component TJBench.java]
Source: file.exeBinary or memory string: [VMware does not distribute this component engineerr.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component rsa_mp.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component kdferr.h]
Source: file.exeBinary or memory string: [VMware does not distribute this component conf_err.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component SSL_CTX_set_ctlog_list_file.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component md4_dgst.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component BN_mod_inverse.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component 30-test_afalg.t]
Source: file.exeBinary or memory string: [VMware does not distribute this component CMS_add1_recipient_cert.pod]
Source: file.exeBinary or memory string: [VMware does not distribute this component uninstall.in]
Source: file.exeBinary or memory string: [VMware does not distribute this component ClientHello.pm]
Source: file.exeBinary or memory string: [VMware does not distribute this component TJScalingFactor.java]
Source: file.exeBinary or memory string: [VMware does not distribute this component conf.c]
Source: file.exeBinary or memory string: [VMware does not distribute this component OPENSSL_fork_prepare.pod]
Source: file.exeBinary or memory string: 220 VMware Authentication Daemon Version
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40A000Jump to behavior
Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40C000Jump to behavior
Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 940008Jump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C timeout 1 && del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1Jump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xte0v1np.default-release\prefs.jsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xte0v1np.default-release\prefs.jsJump to behavior

Stealing of Sensitive Information

barindex
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xte0v1np.default-release\prefs.jsJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
311
Process Injection
1
Disable or Modify Tools
1
OS Credential Dumping
1
Security Software Discovery
Remote Services1
Archive Collected Data
12
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
31
Virtualization/Sandbox Evasion
LSASS Memory31
Virtualization/Sandbox Evasion
Remote Desktop Protocol1
Browser Session Hijacking
1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)311
Process Injection
Security Account Manager1
File and Directory Discovery
SMB/Windows Admin Shares1
Data from Local System
2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information
NTDS12
System Information Discovery
Distributed Component Object ModelInput Capture3
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Install Root Certificate
LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading
Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1649093 Sample: file.exe Startdate: 26/03/2025 Architecture: WINDOWS Score: 80 24 pki-goog.l.google.com 2->24 26 c.pki.goog 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 .NET source code contains very large array initializations 2->30 32 Joe Sandbox ML detected suspicious sample 2->32 9 file.exe 2->9         started        signatures3 process4 signatures5 34 Writes to foreign memory regions 9->34 36 Allocates memory in foreign processes 9->36 38 Injects a PE file into a foreign processes 9->38 12 MSBuild.exe 1 5 9->12         started        process6 file7 22 C:\Users\user\AppData\Roaming\...\prefs.js, ASCII 12->22 dropped 40 Installs new ROOT certificates 12->40 42 Overwrites Mozilla Firefox settings 12->42 44 Tries to harvest and steal browser information (history, passwords, etc) 12->44 16 cmd.exe 1 12->16         started        signatures8 process9 process10 18 conhost.exe 16->18         started        20 timeout.exe 1 16->20         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
file.exe15%VirustotalBrowse
SAMPLE100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://www.freetype.org)0%Avira URL Cloudsafe
http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD0%Avira URL Cloudsafe
http://ccodearchive.net/0%Avira URL Cloudsafe
http://www.levien.com/gdkrgb/0%Avira URL Cloudsafe
http://invisible-island.net/ncurses/ncurses-examples.html0%Avira URL Cloudsafe
http://purl.oclc.org/dsdl/schematron0%Avira URL Cloudsafe
http://www.mico.org/0%Avira URL Cloudsafe
http://purl.oclc.org/dsdl/schematronhttp://www.ascc.net/xml/schematronFailed0%Avira URL Cloudsafe
http://www.ascc.net/xml/schematron0%Avira URL Cloudsafe
http://www.cnri.reston.va.us)0%Avira URL Cloudsafe
http://www.fsf.org0%Avira URL Cloudsafe
http://mail.gnome.org/archives/gtk-devel-list/2001-October/msg00087.html0%Avira URL Cloudsafe
http://www.xiph.org/0%Avira URL Cloudsafe
https://cs.chromium.org/chromium/src/LICENSE0%Avira URL Cloudsafe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696513144932.12791&key=16965131444007000%Avira URL Cloudsafe
http://openwall.info/wiki/people/solar/software/public-domain-source-code/md50%Avira URL Cloudsafe
http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html0%Avira URL Cloudsafe
http://www.cl.cam.ac.uk/~mgk25/0%Avira URL Cloudsafe
http://www.zope.com/Marks).0%Avira URL Cloudsafe
http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd0%Avira URL Cloudsafe
http://pcre.org/0%Avira URL Cloudsafe
http://www.pythonlabs.com/logos.html0%Avira URL Cloudsafe
http://web.cs.ucdavis.edu/~rogaway/ocb/license1.pdf0%Avira URL Cloudsafe
http://www.cwi.nl)0%Avira URL Cloudsafe
https://www.ribose.com).0%Avira URL Cloudsafe
http://www.opensource.org0%Avira URL Cloudsafe
http://www.openismus.com/0%Avira URL Cloudsafe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=169651314490%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    high
    pki-goog.l.google.com
    142.250.65.195
    truefalse
      high
      c.pki.goog
      unknown
      unknownfalse
        high
        NameMaliciousAntivirus DetectionReputation
        http://c.pki.goog/r/r4.crlfalse
          high
          http://c.pki.goog/r/gsr1.crlfalse
            high
            NameSourceMaliciousAntivirus DetectionReputation
            http://jquery.org/licensefile.exefalse
              high
              http://www.levien.com/gdkrgb/file.exefalse
              • Avira URL Cloud: safe
              unknown
              http://invisible-island.net/ncurses/ncurses-examples.htmlfile.exefalse
              • Avira URL Cloud: safe
              unknown
              http://ccodearchive.net/file.exefalse
              • Avira URL Cloud: safe
              unknown
              http://sizzlejs.com/file.exefalse
                high
                http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTDfile.exefalse
                • Avira URL Cloud: safe
                unknown
                http://creativecommons.org/publicdomain/zero/1.0/file.exefalse
                  high
                  http://purl.oclc.org/dsdl/schematronfile.exefalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.freetype.org)file.exefalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.ascc.net/xml/schematronfile.exefalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.mico.org/file.exefalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.pythonware.comfile.exefalse
                    high
                    https://datatracker.ietf.org/ipr/1526/file.exefalse
                      high
                      https://www.openssl.org/source/license.htmlfile.exefalse
                        high
                        http://www.fsf.orgfile.exefalse
                        • Avira URL Cloud: safe
                        unknown
                        http://purl.oclc.org/dsdl/schematronhttp://www.ascc.net/xml/schematronFailedfile.exefalse
                        • Avira URL Cloud: safe
                        unknown
                        https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_b07fa4138d6cee96061521c23bb7cd6608bee0c31ef2bfdcMSBuild.exe, 00000002.00000002.1689809314.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1689809314.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, prefs.js.2.drfalse
                          high
                          http://www.zope.com/Marks).file.exefalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.vmware.com/download/open_source.htmlfile.exefalse
                            high
                            https://datatracker.ietf.org/ipr/1914/file.exefalse
                              high
                              http://openwall.info/wiki/people/solar/software/public-domain-source-code/md5file.exefalse
                              • Avira URL Cloud: safe
                              unknown
                              https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696513144932.12791&key=1696513144400700MSBuild.exe, 00000002.00000002.1689809314.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1689809314.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, prefs.js.2.drfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://cs.chromium.org/chromium/src/LICENSEfile.exefalse
                              • Avira URL Cloud: safe
                              unknown
                              https://github.com/kiyolee/pcre-win-build/file.exefalse
                                high
                                http://www.gnu.org/licenses/file.exefalse
                                  high
                                  http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.htmlfile.exefalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.cl.cam.ac.uk/~mgk25/file.exefalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.xiph.org/file.exefalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://www.qt.io/licensing/file.exefalse
                                    high
                                    http://www.apache.org/licenses/LICENSE-2.0file.exefalse
                                      high
                                      http://www.cnri.reston.va.us)file.exefalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://mail.gnome.org/archives/gtk-devel-list/2001-October/msg00087.htmlfile.exefalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      https://www.gnu.org/licenses/file.exefalse
                                        high
                                        http://creativecommons.org/licenses/publicdomain.file.exefalse
                                          high
                                          https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696513144932.12791&key=1696513144400700003.1&ctaMSBuild.exe, 00000002.00000002.1689809314.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1689809314.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, prefs.js.2.drfalse
                                            high
                                            http://www.vmware.com/0/file.exefalse
                                              high
                                              http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtdfile.exefalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://pcre.org/file.exefalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://www.python.org/psf/)file.exefalse
                                                high
                                                http://www.opensource.orgfile.exefalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.bis.doc.gov/.file.exefalse
                                                  high
                                                  https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4ClZfC2k4pbW4ZbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYiprefs.js.2.drfalse
                                                    high
                                                    http://www.pythonlabs.com/logos.htmlfile.exefalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://web.cs.ucdavis.edu/~rogaway/ocb/license1.pdffile.exefalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpgMSBuild.exe, 00000002.00000002.1689809314.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1689809314.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, prefs.js.2.drfalse
                                                      high
                                                      http://www.cwi.nl)file.exefalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://tools.ietf.org/html/rfc1950file.exefalse
                                                        high
                                                        https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgMSBuild.exe, 00000002.00000002.1689809314.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1689809314.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, prefs.js.2.drfalse
                                                          high
                                                          http://hdl.handle.net/1895.22/1013file.exefalse
                                                            high
                                                            http://www.apache.org/licenses/LICENSEfile.exefalse
                                                              high
                                                              https://datatracker.ietf.org/ipr/1524/file.exefalse
                                                                high
                                                                http://opensource.org/licenses/ms-rlfile.exefalse
                                                                  high
                                                                  https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&refMSBuild.exe, 00000002.00000002.1689809314.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1689809314.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, prefs.js.2.drfalse
                                                                    high
                                                                    https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=16965131449MSBuild.exe, 00000002.00000002.1689809314.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    http://web.cs.ucdavis.edu/~rogaway/ocb/license.htmfile.exefalse
                                                                      high
                                                                      https://gitlab.gnome.org/GNOME/libxml2Dfile.exefalse
                                                                        high
                                                                        http://relaxng.org/ns/structure/1.0file.exefalse
                                                                          high
                                                                          http://www.openssl.org/)file.exefalse
                                                                            high
                                                                            http://www.openismus.com/file.exefalse
                                                                            • Avira URL Cloud: safe
                                                                            unknown
                                                                            http://jquery.com/file.exefalse
                                                                              high
                                                                              https://www.ribose.com).file.exefalse
                                                                              • Avira URL Cloud: safe
                                                                              unknown
                                                                              No contacted IP infos
                                                                              Joe Sandbox version:42.0.0 Malachite
                                                                              Analysis ID:1649093
                                                                              Start date and time:2025-03-26 14:05:54 +01:00
                                                                              Joe Sandbox product:CloudBasic
                                                                              Overall analysis duration:0h 4m 48s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:full
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                              Number of analysed new started processes analysed:7
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:0
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Sample name:file.exe
                                                                              Detection:MAL
                                                                              Classification:mal80.phis.spyw.evad.winEXE@8/7@2/0
                                                                              EGA Information:
                                                                              • Successful, ratio: 100%
                                                                              HCA Information:
                                                                              • Successful, ratio: 99%
                                                                              • Number of executed functions: 66
                                                                              • Number of non-executed functions: 0
                                                                              Cookbook Comments:
                                                                              • Found application associated with file extension: .exe
                                                                              • Stop behavior analysis, all processes terminated
                                                                              • Exclude process from analysis (whitelisted): dllhost.exe
                                                                              • Excluded IPs from analysis (whitelisted): 52.149.20.212, 199.232.210.172, 20.3.187.198, 52.165.164.15
                                                                              • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                              TimeTypeDescription
                                                                              09:07:47API Interceptor1x Sleep call for process: MSBuild.exe modified
                                                                              No context
                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              pki-goog.l.google.comtoch.exeGet hashmaliciousGo Stealer, Skuld Stealer, XmrigBrowse
                                                                              • 142.251.40.227
                                                                              CEnZGYPvcA.exeGet hashmaliciousXWormBrowse
                                                                              • 142.251.40.131
                                                                              92.255.85.2.exeGet hashmaliciousXWormBrowse
                                                                              • 142.250.80.3
                                                                              92.255.85.2.batGet hashmaliciousXWormBrowse
                                                                              • 142.250.80.35
                                                                              file.exeGet hashmaliciousCryptOne, LummaC Stealer, Socks5SystemzBrowse
                                                                              • 142.251.35.163
                                                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                                                              • 142.250.80.67
                                                                              EFT Remittance_(Bobd)CQDM.htmGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                                              • 142.250.80.67
                                                                              https://protect.checkpoint.com/v2/r01/___https://lsems.gravityzone.bitdefender.com/xhfsdfMW5hMR*~*QDcqg1KugH/rhrqqgrWni2pyg1KugH/og75AgMRA37Cu37x!i2GzU2ZBRIJz0ZOA1YpCSoGOfZu2gE3yRpN701JyRpOm4ZZyRp4q0YpC41S1h5KD47KphMiO0J/ARo394ZuDi6WW41uA0ZCGZsV/hKq4hn5DVqi1SpSG0Iiq0YiNiZC33pyAQYOLfD5DVoOH4EWH45yy38iYhrWx0YiVg5yOT0VyRpOmZ1K2gpqsW5R/g5c81YGRQYOLV8umhLS2X6OG02WJ48S4XrSZhspDQYOHj0O/ZZO4YYpEY0i64ZCT0KSvgIWoXKR8hZi9SJ6HZ1WSYoWD07KS1LZBgs09XESu4KOBh0WJ1r02gq3CTL/54pS*~*WrB7gMqXfMGfR6WVW7iZWpyq45mYQYOHgoWvY6KEf1qKh5OXS2us02tyRp4vTYGnVYGm0Y4HX7SK0ZRyRpOuiEm/SKGC0si/irc90Z63XL9yRp36Z5KZYLlyRpOSWqSIQYOHXLW8X64mhKKzhEGBf0tBX24yV1utSEWG0ISpR7WMR0JDZ80OXrmQYsZyRp4G1suTX1tCYruxfYGJXr6O40SD056PXZOrREqxjZyAjpW7X1yrgYGuiJOUXJcUi50ORqOKTJ4LgJmWWrmJYJKJ0sSZVZuy08uNXK4G1LW5WEGWRYOST1SrY7KI400ERquY06iU32JCgLcxTZSX3EmVV0uCR8iWW2O9QYOHi8mrYLcRg5mPg5i9S0p5iqOo12G6i0ZyRp44TMh7RIqnV2iJX7/G4pK6j1BBWLC5R5qSg00pZJO2YqmTXZC2Zr/0310008uSX005S6Kt100zTKKDS2W2f0RBX7K/jolDfqqQWqSN31mHZr/4Ro4NXqm54p/VgLi01MKBTY3yRp35gLiTY76rW8OMZ5Z8j1uJWp6wR7uNi6GnjrOE4LuRRoRESZ4XjX5DVsqPW7/sfJi5V7c23pu3S1BCYZ/WYr0EV7J6h0mE1J4vV0WsQYSJQYSJWo0kXKb5hLqtXMqsYqSHRMN/Zr42RLV5SJcPfKS6WrmuZrCXiK4Rh2m*~*08WYXMSmg1q6Z1l5Z00*~*Y1WChJ0t0Ii6hES8XImMiM0QYryZ4EWO1KqsSZ0K00WfX5WS11C636i63Ep80qSYjo4mWE4111p6Y5tyRp4Y45c43py9fEqOV5351KGy1Km/R0S40H5DWqZC0JyGW1iAYIqCgMG7gZS*~*003CX1yMV0GDfsZyRp38f54wZJuS00O7R5cE1ol6jJ6XhMpD1p0vj0uXi0uZf6JyRp4GRZ6IgpC/0puyW0itV0JyR5VyR5V=dJ9a86J/5GGJ6/HFH867JHa95G57Ja897H65*~*G65b9/b7c9/a8J6JI56758*~*GFFJI?h=6&fru;n=6&fru;ithx=6___.YzJ1OnNlcXVhbGNvcnA6YzpvOjVjN2U0MGNlMGRhNDNkZDEwYjk3ODU0ZTRhMGNmYTFjOjc6MDQyMTpiZDMwNmQ3NDgyNWUwNmM1NzVmMTk0YTFiN2ZjZDQ3NWZjMzIzMTMzNjg2ZmY0ZTMyY2VmMDdmYWRhZDI0MTJjOmg6VDpUGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                                              • 172.217.16.195
                                                                              qoutation.jsGet hashmaliciousXWormBrowse
                                                                              • 142.250.64.99
                                                                              bg.microsoft.map.fastly.net1.ps1Get hashmaliciousAsyncRAT, XmrigBrowse
                                                                              • 199.232.210.172
                                                                              gkd.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                                              • 199.232.214.172
                                                                              MDRHZBOL2477518 CO.xlsGet hashmaliciousUnknownBrowse
                                                                              • 199.232.214.172
                                                                              k6sMqU4WU6.batGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                              • 199.232.210.172
                                                                              toch.exeGet hashmaliciousGo Stealer, Skuld Stealer, XmrigBrowse
                                                                              • 199.232.210.172
                                                                              3Judiciario02-jRc3-8Gwc1-T12.msiGet hashmaliciousUnknownBrowse
                                                                              • 199.232.210.172
                                                                              MauThietKeNTCTY2025.batGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                              • 199.232.214.172
                                                                              Documents.jsGet hashmaliciousScreenConnect ToolBrowse
                                                                              • 199.232.210.172
                                                                              CEnZGYPvcA.exeGet hashmaliciousXWormBrowse
                                                                              • 199.232.214.172
                                                                              ORDER 517-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                              • 199.232.210.172
                                                                              No context
                                                                              No context
                                                                              No context
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Fri Mar 7 13:07:34 2025, atime=Tue Feb 25 23:36:44 2025, length=3388000, window=hide
                                                                              Category:dropped
                                                                              Size (bytes):2420
                                                                              Entropy (8bit):3.574688950231698
                                                                              Encrypted:false
                                                                              SSDEEP:48:8S7dUOT4mjYrnvPdAKRkdAhuLoxdAKRFdAKRW:8S38nuL
                                                                              MD5:97AC2059E913B8BA24B0D437C5DF97E6
                                                                              SHA1:05D4AF9AE5036D64C440CF6B6A745E2BC6315C31
                                                                              SHA-256:2CBFD4B7F0ADD750DEA8F55CC3AA3E7A061C678D964F5DE7F82300F695A8E41B
                                                                              SHA-512:0F7FCAC82F414C79AA09B1FE5D588F367DF5B6A23E94009361E25B1ABC9BF76EFB539DC2D1AC09D4A3EDF9C6E29806CDB75E667C312D5EC9697E09CEF5A165DB
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:L..................F.@.. ......,....$.aFj...f~.....`.3.....................#....P.O. .:i.....+00.../C:\.....................1.....EW.q..PROGRA~1..t......O.IgZ.p....B...............J.....o4_.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VgZGp....L.....................p+j.G.o.o.g.l.e.....T.1.....gZGp..Chrome..>......CW.VgZGp....M.....................:...C.h.r.o.m.e.....`.1.....gZGp..APPLIC~1..H......CW.VgZHp..........................:...A.p.p.l.i.c.a.t.i.o.n.....`.2.`.3.ZZ.. .chrome.exe..F......CW.VgZ.p..............................c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n...-.-.p.r.o.x.y.-.s.e.r.v.e.r
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):2540
                                                                              Entropy (8bit):7.801552142126602
                                                                              Encrypted:false
                                                                              SSDEEP:48:CDAZse4GVajjgsrMM7wEIyxduDwLHXsZ5z/C2iJQ7sKXhVFm1:C+sfGEjgsgM7lIKuK3qB6HJQ7BFm
                                                                              MD5:CBC6B2AD4BF883EA7ECB41D8D86B0964
                                                                              SHA1:3051043976773ABFC145A23942B42E4C7CAC5A1C
                                                                              SHA-256:C8844BA7CA7DF3C75532044792065C3D2B742C389FC9FA1A6E2776ED425917AF
                                                                              SHA-512:355B1E180D067ABAAB69F1F51CF0776DEE7156156195094825A1BA7FAC3BCF7AB303B5D68BE373878F400CD34EC9061DC549706B8AD344E66AC8968DAA7E812F
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:0......0.....*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0........J..........+"J.).V9...,...:'.......>.i..$V.Y.R..w......?)fA....l..B.I....W....d}.uw..),}.-..S......Z.fM.%<.R..Ln.<.U.]]....m.QS..R4..T.....)s>.(@.<C...>.../.F............|.i.:.._..1...@ns.<...!....O.'g.<X*.........ctf.=.........4.......?e......G}..N~.>P.....A^.e...8.*]..Z...l-se....g ..M;....@w....G...E...)...\.}W.lP...z..X.J..%!I..F&l....Kc.Ve$;........!.]..\...r..)..B.....< .>>.5O{%..$.....?..\.7.&.......r....5 :.k......s-S.{z.pZ...QY0.tV0....H.....0.8..Jf..V..W?.....v.).k$ag.J3f"..t...3)....v............v.j}.)4j.^r..r.....n._"o.j..t0.W......O.zH...6.$..).gd...Z.b..40..M.f...A....C....v.w..}.....r.3.e..5..9..|.9N..{rCN{..6.k..W.........h.w.uEQR.AQI@-l..+....J_....s{.....}2p.......O.E.....}.76".x6.,.M./.8.u.....WM..*....?..%.....\@mU.Kr....]......{..#*...A.).........E.`..q..E............o..5...f...wR...H.9.z..|q....0.uI....
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):2540
                                                                              Entropy (8bit):7.801552142126602
                                                                              Encrypted:false
                                                                              SSDEEP:48:CDAZse4GVajjgsrMM7wEIyxduDwLHXsZ5z/C2iJQ7sKXhVFm1:C+sfGEjgsgM7lIKuK3qB6HJQ7BFm
                                                                              MD5:CBC6B2AD4BF883EA7ECB41D8D86B0964
                                                                              SHA1:3051043976773ABFC145A23942B42E4C7CAC5A1C
                                                                              SHA-256:C8844BA7CA7DF3C75532044792065C3D2B742C389FC9FA1A6E2776ED425917AF
                                                                              SHA-512:355B1E180D067ABAAB69F1F51CF0776DEE7156156195094825A1BA7FAC3BCF7AB303B5D68BE373878F400CD34EC9061DC549706B8AD344E66AC8968DAA7E812F
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:0......0.....*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0........J..........+"J.).V9...,...:'.......>.i..$V.Y.R..w......?)fA....l..B.I....W....d}.uw..),}.-..S......Z.fM.%<.R..Ln.<.U.]]....m.QS..R4..T.....)s>.(@.<C...>.../.F............|.i.:.._..1...@ns.<...!....O.'g.<X*.........ctf.=.........4.......?e......G}..N~.>P.....A^.e...8.*]..Z...l-se....g ..M;....@w....G...E...)...\.}W.lP...z..X.J..%!I..F&l....Kc.Ve$;........!.]..\...r..)..B.....< .>>.5O{%..$.....?..\.7.&.......r....5 :.k......s-S.{z.pZ...QY0.tV0....H.....0.8..Jf..V..W?.....v.).k$ag.J3f"..t...3)....v............v.j}.)4j.^r..r.....n._"o.j..t0.W......O.zH...6.$..).gd...Z.b..40..M.f...A....C....v.w..}.....r.3.e..5..9..|.9N..{rCN{..6.k..W.........h.w.uEQR.AQI@-l..+....J_....s{.....}2p.......O.E.....}.76".x6.,.M./.8.u.....WM..*....?..%.....\@mU.Kr....]......{..#*...A.).........E.`..q..E............o..5...f...wR...H.9.z..|q....0.uI....
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 13:05:22 2023, atime=Wed Sep 27 08:36:54 2023, length=3242272, window=hide
                                                                              Category:dropped
                                                                              Size (bytes):2702
                                                                              Entropy (8bit):3.66478752643622
                                                                              Encrypted:false
                                                                              SSDEEP:48:8SdadjTTcvLC0lRYrnvsYd/KRkdAhuLoxdAKR+/KR0HynP:8S4AC7OuLjHy
                                                                              MD5:C7656AAE8AA05BCAE56D1A31B18FC90B
                                                                              SHA1:C1F45EE2971D87D692F60CF3E46B32626F4F4781
                                                                              SHA-256:5015B97F23869D2F74798FFAEE4C1F97D5C6B4C519551909AC2311512394F1BB
                                                                              SHA-512:C95905E99E74F207A91919E08B81FBA2C7D475F2D95FD0292FDD7237644C81BAC5C6BE95053B6F7972D7FB827B1290D140FA4AC042CBE78957F0148D1728528D
                                                                              Malicious:false
                                                                              Preview:L..................F.@.. ......,.....Jo......X.&&... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....EW.e..PROGRA~1..t......O.IEW.p....B...............J.....t%..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VEW.p....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.f..Chrome..>......CW.VEW.p....M.....................c...C.h.r.o.m.e.....`.1.....EW.f..APPLIC~1..H......CW.VEW.p...........................P..A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.L .chrome.exe..F......CW.VEW.p....I.....................l...c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.M.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Aug 5 21:41:46 2021, mtime=Thu Oct 5 13:07:16 2023, atime=Fri Sep 29 11:17:35 2023, length=4210216, window=hide
                                                                              Category:dropped
                                                                              Size (bytes):2796
                                                                              Entropy (8bit):3.742823418389991
                                                                              Encrypted:false
                                                                              SSDEEP:48:8QAQI2dOe7xsJmrnzTdRd/uLoqdLXuHjPkZy+7:80NuLduDPkZy
                                                                              MD5:F548FD251822E4181E3CF0A56CB88F1F
                                                                              SHA1:07A8DCD3D53C8089FC3720122138789FD2359F6E
                                                                              SHA-256:0772A2FF2C5E52C65D69796221673C3A6A8757210C26ADA7F4AF132472FAA095
                                                                              SHA-512:4F4E6C48F02ED52AB41B80D3B8AC486A8CC8DAFFF559EE4CE17C5109F114B78DD6214D906B8613AF16AEDC271C61526C5689C7A5B74F609786C8A075A48667C5
                                                                              Malicious:false
                                                                              Preview:L..................F.@.. .....|.K...9..>.....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....DW-F..PROGRA~2.........O.IEW.p....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....CW.`..MICROS~1..D......(Ux.EW.p..........................6|..M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8.EW.p...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8.EW.p..............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8.EW.p....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j............F.......C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe....B.r.o.w.s.e. .t.h.e. .w.e.b.N.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.1.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 11:48:37 2023, atime=Wed Sep 27 08:36:54 2023, length=3242272, window=hide
                                                                              Category:dropped
                                                                              Size (bytes):2638
                                                                              Entropy (8bit):3.6519203502004247
                                                                              Encrypted:false
                                                                              SSDEEP:48:8SfPdtT1xBC0lRYrnv3d/KRkdAhuLoxdAKR+/KR2eqP:8SzJbC7QuLne
                                                                              MD5:DBBC794EBA0F007A9D19188F8A6F4C70
                                                                              SHA1:FD96E0482B72E26F7A2CBD9FF07B52B17E242DDF
                                                                              SHA-256:090AAB0EBD8B000D07E745F2A5A111742EFF943FF3185186070FA4C7C6BFA931
                                                                              SHA-512:84D8A54F57693A289AA044A7DFE4C71F201FDD3B958E949CD93F0623F8356945828A8710F023D43EEA783B871B345FC1CCD0167EAE101B2FFFC7E7DCBF543B9D
                                                                              Malicious:false
                                                                              Preview:L..................F.@.. ......,.......B.....X.&&... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....EW.e..PROGRA~1..t......O.IEW.e....B...............J.....t%..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VEW.e....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.e..Chrome..>......CW.VEW.f....M......................Uk.C.h.r.o.m.e.....`.1.....EW.f..APPLIC~1..H......CW.VEW.f...........................t..A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.L .chrome.exe..F......CW.VEW.f....I.....................l...c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                              File Type:ASCII text, with very long lines (1743), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):9729
                                                                              Entropy (8bit):5.522631979298995
                                                                              Encrypted:false
                                                                              SSDEEP:192:InnTRVgYbBp6Q+GaXES6BszhkUNBw8DKSc:mAej+0BU+qw/r
                                                                              MD5:C1599C407D3F4B91F2EDA0E2DBB6ECA6
                                                                              SHA1:BA07576399FBF376D1175969CF408E23979709D1
                                                                              SHA-256:3D57C659B7360AD7F00C7937C59135DC56EE62F7528AB5E5034BBAF26C449539
                                                                              SHA-512:6E9DE7247279A33B7C801EFC323488A61D59E8584906E7FF7C37B3A69586AE79AF1803C812A3813B8FB785BCEE56F9D0745D47A9FE22C4B356800C038FE7B999
                                                                              Malicious:true
                                                                              Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "42c220e3-810c-4591-b772-124a85cf4bad");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696514917);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696514919);..user_pref("app.update.lastUpdateTime.xpi-signature-verification
                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Entropy (8bit):6.92964474931813
                                                                              TrID:
                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.69%
                                                                              • Win32 Executable (generic) a (10002005/4) 49.65%
                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                              • InstallShield setup (43055/19) 0.21%
                                                                              • Windows Screen Saver (13104/52) 0.07%
                                                                              File name:file.exe
                                                                              File size:5'363'712 bytes
                                                                              MD5:ca4a37c4e37044a6f27a300047cc41f5
                                                                              SHA1:eac1104e810b8a05e9cb8900a0e4daf73ab8998c
                                                                              SHA256:a55181a9277efe47ba8744273e847a42e5de4700c7f89e2e2cc12bd45f26661a
                                                                              SHA512:f7786ba0fb6446bcff41dd8166332a2569ed6491d63fe50122b21adab03c95bd60225a60a451e026773e5d17733c2f4fcbccb213dda1c4f42ad8b2144c786001
                                                                              SSDEEP:98304:kLLyjD2ICcZ/vHRdBAUZL10rBb4oaQgOlmI0:kLLyjD2xeRdV+rTA6mp
                                                                              TLSH:1946BF15BB42C232E9E102B163BADBF7E42D9E34331751CB71D4B0D8567A1E222BF649
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....i.g..............0...Q...........Q.. ........@.. .......................@R...........@................................
                                                                              Icon Hash:90cececece8e8eb0
                                                                              Entrypoint:0x91eade
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x67D9699B [Tue Mar 18 12:39:55 2025 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                              Instruction
                                                                              jmp dword ptr [00402000h]
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x51ea840x57.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x5200000x800.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x5220000xc.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x20000x51cae40x51cc00c1f23a769932963ce359ba37b78a7d82unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rsrc0x5200000x8000x8006236d1607280fa0fa8dc4f094cfee469False0.38623046875data3.7304050719376187IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0x5220000xc0x200dad26ad2881fe5446454a8268317633eFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_VERSION0x5200900x43adata0.4436229205175601
                                                                              RT_MANIFEST0x5204dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                                                              DLLImport
                                                                              mscoree.dll_CorExeMain
                                                                              DescriptionData
                                                                              Translation0x0000 0x04b0
                                                                              CommentsDesigned to enhance productivity and security.
                                                                              CompanyNameQuantum Innovations
                                                                              FileDescriptionNextCloud Suite
                                                                              FileVersion6.9.40.284
                                                                              InternalNameGlossina.exe
                                                                              LegalCopyright 2024 Skyline Software. Do not distribute without permission.
                                                                              LegalTrademarksHyperDrive
                                                                              OriginalFilenameGlossina.exe
                                                                              ProductNameNextCloud Suite
                                                                              ProductVersion6.9.40.284
                                                                              Assembly Version6.9.40.284

                                                                              Download Network PCAP: filteredfull

                                                                              • Total Packets: 43
                                                                              • 443 (HTTPS)
                                                                              • 80 (HTTP)
                                                                              • 53 (DNS)
                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Mar 26, 2025 14:07:00.354691982 CET49677443192.168.2.32.23.227.215
                                                                              Mar 26, 2025 14:07:00.354711056 CET49676443192.168.2.32.23.227.215
                                                                              Mar 26, 2025 14:07:00.354897976 CET49675443192.168.2.3184.86.251.5
                                                                              Mar 26, 2025 14:07:00.870569944 CET49673443192.168.2.3204.79.197.203
                                                                              Mar 26, 2025 14:07:01.182820082 CET49673443192.168.2.3204.79.197.203
                                                                              Mar 26, 2025 14:07:01.792191029 CET49673443192.168.2.3204.79.197.203
                                                                              Mar 26, 2025 14:07:02.682811022 CET49674443192.168.2.32.23.227.215
                                                                              Mar 26, 2025 14:07:02.995245934 CET49673443192.168.2.3204.79.197.203
                                                                              Mar 26, 2025 14:07:05.401562929 CET49673443192.168.2.3204.79.197.203
                                                                              Mar 26, 2025 14:07:08.949242115 CET49678443192.168.2.320.42.72.131
                                                                              Mar 26, 2025 14:07:09.261081934 CET49678443192.168.2.320.42.72.131
                                                                              Mar 26, 2025 14:07:09.870347977 CET49678443192.168.2.320.42.72.131
                                                                              Mar 26, 2025 14:07:09.964081049 CET49676443192.168.2.32.23.227.215
                                                                              Mar 26, 2025 14:07:09.964083910 CET49677443192.168.2.32.23.227.215
                                                                              Mar 26, 2025 14:07:09.964119911 CET49675443192.168.2.3184.86.251.5
                                                                              Mar 26, 2025 14:07:10.214092016 CET49673443192.168.2.3204.79.197.203
                                                                              Mar 26, 2025 14:07:11.073551893 CET49678443192.168.2.320.42.72.131
                                                                              Mar 26, 2025 14:07:12.292190075 CET49674443192.168.2.32.23.227.215
                                                                              Mar 26, 2025 14:07:13.104923964 CET4968080192.168.2.3184.30.131.245
                                                                              Mar 26, 2025 14:07:13.105037928 CET4968180192.168.2.3204.79.197.203
                                                                              Mar 26, 2025 14:07:13.417160988 CET4968080192.168.2.3184.30.131.245
                                                                              Mar 26, 2025 14:07:13.417243958 CET4968180192.168.2.3204.79.197.203
                                                                              Mar 26, 2025 14:07:13.479665041 CET49678443192.168.2.320.42.72.131
                                                                              Mar 26, 2025 14:07:14.026514053 CET4968080192.168.2.3184.30.131.245
                                                                              Mar 26, 2025 14:07:14.026525974 CET4968180192.168.2.3204.79.197.203
                                                                              Mar 26, 2025 14:07:15.229657888 CET4968080192.168.2.3184.30.131.245
                                                                              Mar 26, 2025 14:07:15.229762077 CET4968180192.168.2.3204.79.197.203
                                                                              Mar 26, 2025 14:07:17.635895967 CET4968080192.168.2.3184.30.131.245
                                                                              Mar 26, 2025 14:07:17.635920048 CET4968180192.168.2.3204.79.197.203
                                                                              Mar 26, 2025 14:07:18.292200089 CET49678443192.168.2.320.42.72.131
                                                                              Mar 26, 2025 14:07:19.823524952 CET49673443192.168.2.3204.79.197.203
                                                                              Mar 26, 2025 14:07:20.402411938 CET4968680192.168.2.3142.250.65.195
                                                                              Mar 26, 2025 14:07:20.496453047 CET8049686142.250.65.195192.168.2.3
                                                                              Mar 26, 2025 14:07:20.496635914 CET4968680192.168.2.3142.250.65.195
                                                                              Mar 26, 2025 14:07:20.496889114 CET4968680192.168.2.3142.250.65.195
                                                                              Mar 26, 2025 14:07:20.590136051 CET8049686142.250.65.195192.168.2.3
                                                                              Mar 26, 2025 14:07:20.590645075 CET8049686142.250.65.195192.168.2.3
                                                                              Mar 26, 2025 14:07:20.597363949 CET4968680192.168.2.3142.250.65.195
                                                                              Mar 26, 2025 14:07:20.690591097 CET8049686142.250.65.195192.168.2.3
                                                                              Mar 26, 2025 14:07:20.745368004 CET4968680192.168.2.3142.250.65.195
                                                                              Mar 26, 2025 14:07:22.448411942 CET4968080192.168.2.3184.30.131.245
                                                                              Mar 26, 2025 14:07:22.448573112 CET4968180192.168.2.3204.79.197.203
                                                                              Mar 26, 2025 14:07:27.901618004 CET49678443192.168.2.320.42.72.131
                                                                              Mar 26, 2025 14:07:32.057866096 CET4968080192.168.2.3184.30.131.245
                                                                              Mar 26, 2025 14:07:32.057878017 CET4968180192.168.2.3204.79.197.203
                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Mar 26, 2025 14:07:20.297635078 CET5478653192.168.2.31.1.1.1
                                                                              Mar 26, 2025 14:07:20.398585081 CET53547861.1.1.1192.168.2.3
                                                                              Mar 26, 2025 14:07:32.762568951 CET5565553192.168.2.31.1.1.1
                                                                              Mar 26, 2025 14:07:32.866611958 CET53556551.1.1.1192.168.2.3
                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Mar 26, 2025 14:07:20.297635078 CET192.168.2.31.1.1.10x549eStandard query (0)c.pki.googA (IP address)IN (0x0001)false
                                                                              Mar 26, 2025 14:07:32.762568951 CET192.168.2.31.1.1.10x3621Standard query (0)c.pki.googA (IP address)IN (0x0001)false
                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Mar 26, 2025 14:07:19.823843002 CET1.1.1.1192.168.2.30xd92fNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                              Mar 26, 2025 14:07:19.823843002 CET1.1.1.1192.168.2.30xd92fNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                              Mar 26, 2025 14:07:20.398585081 CET1.1.1.1192.168.2.30x549eNo error (0)c.pki.googpki-goog.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                                              Mar 26, 2025 14:07:20.398585081 CET1.1.1.1192.168.2.30x549eNo error (0)pki-goog.l.google.com142.250.65.195A (IP address)IN (0x0001)false
                                                                              Mar 26, 2025 14:07:32.866611958 CET1.1.1.1192.168.2.30x3621No error (0)c.pki.googpki-goog.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                                              Mar 26, 2025 14:07:32.866611958 CET1.1.1.1192.168.2.30x3621No error (0)pki-goog.l.google.com142.250.80.67A (IP address)IN (0x0001)false
                                                                              • c.pki.goog
                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                              0192.168.2.349686142.250.65.19580
                                                                              TimestampBytes transferredDirectionData
                                                                              Mar 26, 2025 14:07:20.496889114 CET202OUTGET /r/gsr1.crl HTTP/1.1
                                                                              Cache-Control: max-age = 3000
                                                                              Connection: Keep-Alive
                                                                              Accept: */*
                                                                              If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMT
                                                                              User-Agent: Microsoft-CryptoAPI/10.0
                                                                              Host: c.pki.goog
                                                                              Mar 26, 2025 14:07:20.590645075 CET223INHTTP/1.1 304 Not Modified
                                                                              Date: Wed, 26 Mar 2025 12:19:48 GMT
                                                                              Expires: Wed, 26 Mar 2025 13:09:48 GMT
                                                                              Age: 2852
                                                                              Last-Modified: Tue, 07 Jan 2025 07:28:00 GMT
                                                                              Cache-Control: public, max-age=3000
                                                                              Vary: Accept-Encoding
                                                                              Mar 26, 2025 14:07:20.597363949 CET200OUTGET /r/r4.crl HTTP/1.1
                                                                              Cache-Control: max-age = 3000
                                                                              Connection: Keep-Alive
                                                                              Accept: */*
                                                                              If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
                                                                              User-Agent: Microsoft-CryptoAPI/10.0
                                                                              Host: c.pki.goog
                                                                              Mar 26, 2025 14:07:20.690591097 CET222INHTTP/1.1 304 Not Modified
                                                                              Date: Wed, 26 Mar 2025 13:00:24 GMT
                                                                              Expires: Wed, 26 Mar 2025 13:50:24 GMT
                                                                              Age: 416
                                                                              Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
                                                                              Cache-Control: public, max-age=3000
                                                                              Vary: Accept-Encoding


                                                                              Click to jump to process

                                                                              Click to jump to process

                                                                              • File
                                                                              • Registry

                                                                              Click to dive into process behavior distribution

                                                                              Target ID:2
                                                                              Start time:09:07:42
                                                                              Start date:26/03/2025
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                              Imagebase:0x6e0000
                                                                              File size:262'432 bytes
                                                                              MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true
                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                              Target ID:3
                                                                              Start time:09:07:47
                                                                              Start date:26/03/2025
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"cmd.exe" /C timeout 1 && del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                              Imagebase:0xa70000
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              Target ID:4
                                                                              Start time:09:07:47
                                                                              Start date:26/03/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff78a5a0000
                                                                              File size:873'472 bytes
                                                                              MD5 hash:7366FBEFE66BA0F1F5304F7D6FEF09FE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              Target ID:5
                                                                              Start time:09:07:47
                                                                              Start date:26/03/2025
                                                                              Path:C:\Windows\SysWOW64\timeout.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:timeout 1
                                                                              Imagebase:0x860000
                                                                              File size:25'088 bytes
                                                                              MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              Execution Graph

                                                                              Execution Coverage

                                                                              Dynamic/Packed Code Coverage

                                                                              Signature Coverage

                                                                              Execution Coverage:46.4%
                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                              Signature Coverage:56.8%
                                                                              Total number of Nodes:155
                                                                              Total number of Limit Nodes:13
                                                                              Show Legend
                                                                              Hide Nodes/Edges
                                                                              execution_graph 2162 fb2eb8 2163 fb2ec0 VirtualProtect 2162->2163 2165 fb2f78 2163->2165 2174 fb077f 2176 fb0786 2174->2176 2175 fb07ea 2176->2175 2179 fb0f71 VirtualProtect 2176->2179 2177 fb0982 2178 fb0a08 2177->2178 2180 fb302d 12 API calls 2177->2180 2181 fb3087 12 API calls 2177->2181 2179->2177 2180->2177 2181->2177 2154 fb16dd 2155 fb16e8 CreateFileMappingA 2154->2155 2157 fb1835 2155->2157 2166 fb09b2 2167 fb09bc 2166->2167 2168 fb0a08 2167->2168 2169 fb302d 12 API calls 2167->2169 2170 fb3087 12 API calls 2167->2170 2169->2167 2170->2167 2182 fb0752 2183 fb0756 2182->2183 2184 fb07b4 2182->2184 2187 fb0f71 VirtualProtect 2184->2187 2185 fb0982 2186 fb0a08 2185->2186 2188 fb302d 12 API calls 2185->2188 2189 fb3087 12 API calls 2185->2189 2187->2185 2188->2185 2189->2185 2135 fb14d0 2137 fb1536 CreateFileA 2135->2137 2138 fb162b 2137->2138 1978 fb16e8 1980 fb174e CreateFileMappingA 1978->1980 1981 fb1835 1980->1981 1982 fb0848 1983 fb0858 1982->1983 1989 fb0f71 1983->1989 1984 fb0982 1985 fb0a08 1984->1985 1995 fb3087 1984->1995 2024 fb302d 1984->2024 1990 fb0fa4 1989->1990 2054 fb1dd3 1990->2054 2058 fb1a10 1990->2058 2062 fb1a03 1990->2062 1991 fb10e8 1991->1984 1998 fb309d 1995->1998 1996 fb39ed 2005 fb3a16 1996->2005 2016 fb5318 NtSetContextThread 1996->2016 2017 fb5310 NtSetContextThread 1996->2017 1997 fb3af7 1997->2005 2014 fb5438 NtReadVirtualMemory 1997->2014 2015 fb5430 NtReadVirtualMemory 1997->2015 2066 fb4fe2 1998->2066 2070 fb5000 1998->2070 1999 fb3be5 1999->2005 2006 fb5588 NtAllocateVirtualMemory NtAllocateVirtualMemory 1999->2006 2007 fb5584 NtAllocateVirtualMemory NtAllocateVirtualMemory 1999->2007 2000 fb3db9 2000->2005 2020 fb5808 NtWriteVirtualMemory 2000->2020 2021 fb5803 NtWriteVirtualMemory 2000->2021 2001 fb4129 2010 fb5808 NtWriteVirtualMemory 2001->2010 2011 fb5803 NtWriteVirtualMemory 2001->2011 2002 fb3f24 2002->2001 2002->2005 2022 fb5808 NtWriteVirtualMemory 2002->2022 2023 fb5803 NtWriteVirtualMemory 2002->2023 2003 fb418e 2003->2005 2008 fb5318 NtSetContextThread 2003->2008 2009 fb5310 NtSetContextThread 2003->2009 2004 fb427d 2004->2005 2012 fb5958 NtResumeThread 2004->2012 2013 fb5950 NtResumeThread 2004->2013 2005->1984 2006->2000 2007->2000 2008->2004 2009->2004 2010->2003 2011->2003 2012->2005 2013->2005 2014->1999 2015->1999 2016->1997 2017->1997 2020->2002 2021->2002 2022->2002 2023->2002 2025 fb3020 2024->2025 2028 fb309c 2024->2028 2025->1984 2026 fb39ed 2035 fb3a16 2026->2035 2074 fb5310 2026->2074 2078 fb5318 2026->2078 2027 fb3af7 2027->2035 2082 fb5438 2027->2082 2086 fb5430 2027->2086 2042 fb4fe2 CreateProcessInternalW 2028->2042 2043 fb5000 CreateProcessInternalW 2028->2043 2029 fb3be5 2029->2035 2091 fb5584 2029->2091 2096 fb5588 2029->2096 2030 fb3db9 2030->2035 2101 fb5803 2030->2101 2106 fb5808 2030->2106 2031 fb4129 2052 fb5808 NtWriteVirtualMemory 2031->2052 2053 fb5803 NtWriteVirtualMemory 2031->2053 2032 fb3f24 2032->2031 2032->2035 2046 fb5808 NtWriteVirtualMemory 2032->2046 2047 fb5803 NtWriteVirtualMemory 2032->2047 2033 fb418e 2033->2035 2050 fb5318 NtSetContextThread 2033->2050 2051 fb5310 NtSetContextThread 2033->2051 2034 fb427d 2034->2035 2110 fb5958 2034->2110 2114 fb5950 2034->2114 2035->1984 2042->2026 2043->2026 2046->2032 2047->2032 2050->2034 2051->2034 2052->2033 2053->2033 2056 fb1c60 2054->2056 2055 fb1df8 2055->1991 2056->2055 2057 fb0678 VirtualProtect 2056->2057 2057->2056 2060 fb1a40 2058->2060 2059 fb1c23 2059->1991 2060->2059 2061 fb0678 VirtualProtect 2060->2061 2061->2060 2064 fb1a10 2062->2064 2063 fb1c23 2063->1991 2064->2063 2065 fb0678 VirtualProtect 2064->2065 2065->2064 2067 fb5077 CreateProcessInternalW 2066->2067 2069 fb5203 2067->2069 2069->2069 2071 fb5077 CreateProcessInternalW 2070->2071 2073 fb5203 2071->2073 2073->2073 2075 fb5318 NtSetContextThread 2074->2075 2077 fb53d9 2075->2077 2077->2027 2079 fb5361 NtSetContextThread 2078->2079 2081 fb53d9 2079->2081 2081->2027 2083 fb5484 NtReadVirtualMemory 2082->2083 2085 fb551d 2083->2085 2085->2029 2087 fb5414 2086->2087 2088 fb5437 NtReadVirtualMemory 2086->2088 2087->2029 2090 fb551d 2088->2090 2090->2029 2092 fb5588 2091->2092 2119 fb56c8 2092->2119 2123 fb56d0 2092->2123 2093 fb5685 2093->2030 2097 fb55af 2096->2097 2099 fb56c8 NtAllocateVirtualMemory 2097->2099 2100 fb56d0 NtAllocateVirtualMemory 2097->2100 2098 fb5685 2098->2030 2099->2098 2100->2098 2102 fb57e4 2101->2102 2103 fb5807 NtWriteVirtualMemory 2101->2103 2102->2032 2105 fb58ed 2103->2105 2105->2032 2107 fb5854 NtWriteVirtualMemory 2106->2107 2109 fb58ed 2107->2109 2109->2032 2111 fb59a1 NtResumeThread 2110->2111 2113 fb59f8 2111->2113 2113->2035 2115 fb5957 NtResumeThread 2114->2115 2116 fb5934 2114->2116 2118 fb59f8 2115->2118 2116->2035 2118->2035 2120 fb56d0 NtAllocateVirtualMemory 2119->2120 2122 fb579f 2120->2122 2122->2093 2124 fb571c NtAllocateVirtualMemory 2123->2124 2126 fb579f 2124->2126 2126->2093 2142 fb18e8 2143 fb18f0 MapViewOfFile 2142->2143 2145 fb19ae 2143->2145 2171 fb13a8 2172 fb13fd K32GetModuleInformation 2171->2172 2173 fb1468 2172->2173 2158 fb14c4 2160 fb14d0 CreateFileA 2158->2160 2161 fb162b 2160->2161

                                                                              Executed Functions

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 0 fb302d-fb303c 1 fb303e-fb3049 0->1 2 fb309c-fb309e 0->2 6 fb304b 1->6 7 fb3020-fb302b 1->7 5 fb30a0-fb30c1 2->5 10 fb30c3-fb340b 5->10 11 fb340d 10->11 12 fb3412-fb35e9 call fb0a58 * 2 10->12 11->12 29 fb35eb-fb3619 12->29 30 fb361e-fb38ab call fb0a58 * 10 12->30 36 fb3957-fb3987 call fb0a58 29->36 107 fb38fd-fb3939 30->107 108 fb38ad-fb38ea 30->108 177 fb3989 call fb45c0 36->177 178 fb3989 call fb45b0 36->178 42 fb398f-fb39e8 187 fb39eb call fb4fe2 42->187 188 fb39eb call fb5000 42->188 47 fb39ed-fb3a14 49 fb3a16-fb3a1f 47->49 50 fb3a24-fb3a8e 47->50 52 fb4351-fb435d 49->52 60 fb3a90 50->60 61 fb3a95-fb3acf call fb0a58 50->61 60->61 183 fb3ad1 call fb45c0 61->183 184 fb3ad1 call fb45b0 61->184 67 fb3ad7-fb3af2 185 fb3af5 call fb5318 67->185 186 fb3af5 call fb5310 67->186 69 fb3af7-fb3b17 70 fb3b19-fb3b22 69->70 71 fb3b27-fb3b31 69->71 70->52 73 fb3b38-fb3b92 call fb0a58 71->73 74 fb3b33 71->74 199 fb3b94 call fb45c0 73->199 200 fb3b94 call fb45b0 73->200 74->73 83 fb3b9a-fb3be0 181 fb3be3 call fb5438 83->181 182 fb3be3 call fb5430 83->182 88 fb3be5-fb3c05 89 fb3c07-fb3c10 88->89 90 fb3c15-fb3c4d 88->90 89->52 95 fb3c53-fb3cf1 call fb0a58 90->95 96 fb3d02-fb3dad 90->96 113 fb3cf3-fb3cfc 95->113 114 fb3d01 95->114 195 fb3db3 call fb5588 96->195 196 fb3db3 call fb5584 96->196 117 fb393b 107->117 118 fb3940-fb3944 107->118 115 fb38ec 108->115 116 fb38f1-fb38fb 108->116 113->52 114->96 115->116 119 fb394a-fb3956 116->119 117->118 118->119 119->36 121 fb3db9-fb3e02 123 fb3e8b-fb3ebe call fb0a58 121->123 124 fb3e08-fb3e7a 121->124 179 fb3ec0 call fb45c0 123->179 180 fb3ec0 call fb45b0 123->180 130 fb3e8a 124->130 131 fb3e7c-fb3e85 124->131 129 fb3ec6-fb3f1f 189 fb3f22 call fb5808 129->189 190 fb3f22 call fb5803 129->190 130->123 131->52 133 fb3f24-fb3f44 134 fb3f46-fb3f4f 133->134 135 fb3f54-fb3f8f 133->135 134->52 137 fb4101-fb4123 135->137 138 fb4129-fb4189 137->138 139 fb3f94-fb4021 137->139 201 fb418c call fb5808 138->201 202 fb418c call fb5803 138->202 148 fb40f3-fb40fb 139->148 149 fb4027-fb40bd 139->149 145 fb418e-fb41ae 146 fb41be-fb41f4 145->146 147 fb41b0-fb41b9 145->147 152 fb41ff-fb4215 146->152 153 fb41f6-fb41f9 146->153 147->52 148->137 191 fb40c0 call fb5808 149->191 192 fb40c0 call fb5803 149->192 155 fb421c-fb4255 call fb0a58 152->155 156 fb4217 152->156 153->152 193 fb4257 call fb45c0 155->193 194 fb4257 call fb45b0 155->194 156->155 160 fb40c2-fb40e2 162 fb40f2 160->162 163 fb40e4-fb40ed 160->163 161 fb425d-fb4278 197 fb427b call fb5318 161->197 198 fb427b call fb5310 161->198 162->148 163->52 164 fb427d-fb429d 165 fb429f-fb42a8 164->165 166 fb42ad-fb42e8 call fb0a58 164->166 165->52 173 fb42ea call fb45c0 166->173 174 fb42ea call fb45b0 166->174 169 fb42f0-fb430c 175 fb430f call fb5958 169->175 176 fb430f call fb5950 169->176 170 fb4311-fb4331 171 fb433e-fb434f 170->171 172 fb4333-fb433c 170->172 171->52 172->52 173->169 174->169 175->170 176->170 177->42 178->42 179->129 180->129 181->88 182->88 183->67 184->67 185->69 186->69 187->47 188->47 189->133 190->133 191->160 192->160 193->161 194->161 195->121 196->121 197->164 198->164 199->83 200->83 201->145 202->145
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (
                                                                              • API String ID: 0-3887548279
                                                                              • Opcode ID: 437ef7678782c3891cf90ec625c2534f62ec30dd0e9c20f46fb93bd8f6d8d3dc
                                                                              • Instruction ID: 3cd5d3586471546038b2cd6d183e68056b8f0ca720f721916c38817d8a82bd8d
                                                                              • Opcode Fuzzy Hash: 437ef7678782c3891cf90ec625c2534f62ec30dd0e9c20f46fb93bd8f6d8d3dc
                                                                              • Instruction Fuzzy Hash: 33A2BC74E012298FDB64DF65CD88BE9BBB2BF89300F1481EA940DA7251DB349E85DF50

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 337 fb5430-fb5435 338 fb5437-fb54a3 337->338 339 fb5414-fb5424 337->339 341 fb54ba-fb551b NtReadVirtualMemory 338->341 342 fb54a5-fb54b7 338->342 344 fb551d-fb5523 341->344 345 fb5524-fb556e 341->345 342->341 344->345
                                                                              APIs
                                                                              • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 00FB550B
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: MemoryReadVirtual
                                                                              • String ID:
                                                                              • API String ID: 2834387570-0
                                                                              • Opcode ID: 67e8cf2dfcf566383e0286469cf8043701cfb1d09d2db41607fc861645a99f7f
                                                                              • Instruction ID: 8c0febd89138ea6a9e51d11db73e79612346a2dfc9fbc34fe48f06ed556a3cc3
                                                                              • Opcode Fuzzy Hash: 67e8cf2dfcf566383e0286469cf8043701cfb1d09d2db41607fc861645a99f7f
                                                                              • Instruction Fuzzy Hash: 20419AB5D012489FCF10CFA9D984ADEFBF1AB49314F24902AE819B7210D379A945CF64

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 350 fb5803-fb5805 351 fb5807-fb5873 350->351 352 fb57e4-fb57f2 350->352 354 fb588a-fb58eb NtWriteVirtualMemory 351->354 355 fb5875-fb5887 351->355 357 fb58ed-fb58f3 354->357 358 fb58f4-fb593e 354->358 355->354 357->358
                                                                              APIs
                                                                              • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 00FB58DB
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: MemoryVirtualWrite
                                                                              • String ID:
                                                                              • API String ID: 3527976591-0
                                                                              • Opcode ID: ee4cfa81613044d683587d29e5dba648c7eaf61b99ebdd5d1535299f2c07d583
                                                                              • Instruction ID: 05670851de656c24745f5e881205de64e2010e962e64212ee32f1d5c3f336604
                                                                              • Opcode Fuzzy Hash: ee4cfa81613044d683587d29e5dba648c7eaf61b99ebdd5d1535299f2c07d583
                                                                              • Instruction Fuzzy Hash: C34198B5D012489FCB10CFAAD984ADEFBF1EB49310F20902AE919B7210D379A905CF64

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 364 fb56c8-fb579d NtAllocateVirtualMemory 368 fb579f-fb57a5 364->368 369 fb57a6-fb57f2 364->369 368->369
                                                                              APIs
                                                                              • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 00FB578D
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateMemoryVirtual
                                                                              • String ID:
                                                                              • API String ID: 2167126740-0
                                                                              • Opcode ID: e863bcb3b59fe3c41b745d0b7364cec6ffbf304091e703a297394ec45556ce91
                                                                              • Instruction ID: 17eb2fa13c6caa17a9e3f62dcad1c8d0d39e2ccbf42b976274e73e36a4f9fee0
                                                                              • Opcode Fuzzy Hash: e863bcb3b59fe3c41b745d0b7364cec6ffbf304091e703a297394ec45556ce91
                                                                              • Instruction Fuzzy Hash: 944189B5D012589FCF10CFA9D984ADEFBB1BF09310F20902AE915B7210D775A945CFA4

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 374 fb5438-fb54a3 376 fb54ba-fb551b NtReadVirtualMemory 374->376 377 fb54a5-fb54b7 374->377 379 fb551d-fb5523 376->379 380 fb5524-fb556e 376->380 377->376 379->380
                                                                              APIs
                                                                              • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 00FB550B
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: MemoryReadVirtual
                                                                              • String ID:
                                                                              • API String ID: 2834387570-0
                                                                              • Opcode ID: ee1cf4010e57571fe49013cf03c395902cc9043cace8eaac95505f6df4e18c93
                                                                              • Instruction ID: c77936adb4ea560194021b149c45b6d2cdb5ebac8378034190936ff7b9b4819c
                                                                              • Opcode Fuzzy Hash: ee1cf4010e57571fe49013cf03c395902cc9043cace8eaac95505f6df4e18c93
                                                                              • Instruction Fuzzy Hash: E14188B4D012489FCF10CFAAD984ADEBBF1AB49314F24942AE819B7210D779A945CF64

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 385 fb5808-fb5873 387 fb588a-fb58eb NtWriteVirtualMemory 385->387 388 fb5875-fb5887 385->388 390 fb58ed-fb58f3 387->390 391 fb58f4-fb593e 387->391 388->387 390->391
                                                                              APIs
                                                                              • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 00FB58DB
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: MemoryVirtualWrite
                                                                              • String ID:
                                                                              • API String ID: 3527976591-0
                                                                              • Opcode ID: 91b0d36236386691563670e784355ddcf985ee054a41dd57183bcb0defeb96a2
                                                                              • Instruction ID: ce1c4e21e3f16a7007bceed91a2864d8927c846aeaa6ec6aa11bddc65dd71502
                                                                              • Opcode Fuzzy Hash: 91b0d36236386691563670e784355ddcf985ee054a41dd57183bcb0defeb96a2
                                                                              • Instruction Fuzzy Hash: 2A4188B4D012489FCB10CFAAD984ADEBBF1AB49310F20942AE818B7250D779A945CF64

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 397 fb56d0-fb579d NtAllocateVirtualMemory 400 fb579f-fb57a5 397->400 401 fb57a6-fb57f2 397->401 400->401
                                                                              APIs
                                                                              • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 00FB578D
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateMemoryVirtual
                                                                              • String ID:
                                                                              • API String ID: 2167126740-0
                                                                              • Opcode ID: 2a6bce29dae94c1d1c081b262f2f142fe78178b60edeb1d40afc03fd838a1b4c
                                                                              • Instruction ID: 63bfb59b34ac635919fc1f0852e25d0cd5b84df79dbcd7d935dd028ce699f3d8
                                                                              • Opcode Fuzzy Hash: 2a6bce29dae94c1d1c081b262f2f142fe78178b60edeb1d40afc03fd838a1b4c
                                                                              • Instruction Fuzzy Hash: B94177B9D002589FCF10CFAAD984ADEFBB1BB09310F20902AE915B7210D775A9458FA4
                                                                              APIs
                                                                              • NtSetContextThread.NTDLL(?,?), ref: 00FB53C7
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: ContextThread
                                                                              • String ID:
                                                                              • API String ID: 1591575202-0
                                                                              • Opcode ID: 5fac1e5dfa001c921a873fad41bab82c5c31830ebb7f17946b18313b0af3d576
                                                                              • Instruction ID: 93e11142feada03e9fb893ad2a81834402e529f67f94aeca811d963c2e236e18
                                                                              • Opcode Fuzzy Hash: 5fac1e5dfa001c921a873fad41bab82c5c31830ebb7f17946b18313b0af3d576
                                                                              • Instruction Fuzzy Hash: E241AAB4D012589FCB14CFAAD984ADEBBF1AF49310F24802AE418BB310D779A945CF64
                                                                              APIs
                                                                              • NtSetContextThread.NTDLL(?,?), ref: 00FB53C7
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: ContextThread
                                                                              • String ID:
                                                                              • API String ID: 1591575202-0
                                                                              • Opcode ID: cd68d536f6350cff2f84915f4e98142bac65a5c38ac6a1b279a6e2b818314a23
                                                                              • Instruction ID: ea40ea18b119b6311a31972e9054e44a31194fcbaee638819e1fb8043daf4444
                                                                              • Opcode Fuzzy Hash: cd68d536f6350cff2f84915f4e98142bac65a5c38ac6a1b279a6e2b818314a23
                                                                              • Instruction Fuzzy Hash: DA319AB4D002589FCB14CFAAD984ADEBBF1AF49310F24802AE418B7300D779A945CFA4
                                                                              APIs
                                                                              • NtResumeThread.NTDLL(?,?), ref: 00FB59E6
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: ResumeThread
                                                                              • String ID:
                                                                              • API String ID: 947044025-0
                                                                              • Opcode ID: 11a8ae18501b376f84c0d858c5594b3b601b382df76b1857a7882785bb5249d1
                                                                              • Instruction ID: 1ec97d90e37729993e401a06f41b3cc746d91be738bac8511d00521b67329afa
                                                                              • Opcode Fuzzy Hash: 11a8ae18501b376f84c0d858c5594b3b601b382df76b1857a7882785bb5249d1
                                                                              • Instruction Fuzzy Hash: 1F319CB5D012589FCB10CFA9D984ADEFBF0BB49320F10946AE515B7200C779A946CF94
                                                                              APIs
                                                                              • NtResumeThread.NTDLL(?,?), ref: 00FB59E6
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: ResumeThread
                                                                              • String ID:
                                                                              • API String ID: 947044025-0
                                                                              • Opcode ID: 5c92d07d27e2914f226a0e60aeeda04dc7be7a809e6d5c8feae16fc38f8f9791
                                                                              • Instruction ID: 4f541edb71558d9a535ea5c91db41bc0e8961b18f217b6abf672eb4472b44374
                                                                              • Opcode Fuzzy Hash: 5c92d07d27e2914f226a0e60aeeda04dc7be7a809e6d5c8feae16fc38f8f9791
                                                                              • Instruction Fuzzy Hash: EB318BB5D012589FCB10CFAAD984ADEFBF5BB49310F10942AE815B7300D779A945CFA4
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 54f2895aea7bfb706b51be727c4c4bd4020cd4e20b7219e5dd055425ad60fd93
                                                                              • Instruction ID: 6c278d7c0a74d1e29858b4574b023c00a50c1811c0f652a36fc564dc8658bd6a
                                                                              • Opcode Fuzzy Hash: 54f2895aea7bfb706b51be727c4c4bd4020cd4e20b7219e5dd055425ad60fd93
                                                                              • Instruction Fuzzy Hash: 21A11371D053698FDB25DF6ACC547DABBB2AF8A300F1481EAD448AB261DB305E85CF50
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8d6fe88d5539dd9bb8173b7ef43f66498a10c4a965b15e2ea78f4eb5a9a77fa0
                                                                              • Instruction ID: 66b8c1fb19885552fc9861b15244053e3af0692ee9d2d92cd4f5ca176abb9672
                                                                              • Opcode Fuzzy Hash: 8d6fe88d5539dd9bb8173b7ef43f66498a10c4a965b15e2ea78f4eb5a9a77fa0
                                                                              • Instruction Fuzzy Hash: 8A22D9B1E012288FDB68CFA9CC90BDDBBB1AF88301F5481A9D509AB355DB705E85DF50
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b693392b96375c1abc88ec371c0ca387f4a8a00606c98769d63b68f0fab93df6
                                                                              • Instruction ID: 9d335398a1cf56b8d09975e6d69276f26af6045fd6fa4e0b9d3f5b8b02ed3a3a
                                                                              • Opcode Fuzzy Hash: b693392b96375c1abc88ec371c0ca387f4a8a00606c98769d63b68f0fab93df6
                                                                              • Instruction Fuzzy Hash: 5BC19274D012288FDB68DF66C890BDDBBB2BF89310F1081AAD509A7355DB349E85DF90
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 00443bf5e24121da4db0afa7cd693d851493e967efe5b6adb49a9f0533d74007
                                                                              • Instruction ID: 41c55ddd7031d8e256b8456c0395a7dd3a1361aafed1340b22385eaa001a4811
                                                                              • Opcode Fuzzy Hash: 00443bf5e24121da4db0afa7cd693d851493e967efe5b6adb49a9f0533d74007
                                                                              • Instruction Fuzzy Hash: 3951C2B5D012288BDB28CF6AD8447DDBBF2BF89300F10C5AAD449A7354EB705A85CF90

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 203 fb4fe2-fb508e 205 fb50a2-fb50ad 203->205 206 fb5090-fb509f 203->206 207 fb50af-fb50be 205->207 208 fb50c1-fb50fd 205->208 206->205 207->208 209 fb50ff-fb510e 208->209 210 fb5111-fb5201 CreateProcessInternalW 208->210 209->210 215 fb520a-fb529f 210->215 216 fb5203-fb5209 210->216 221 fb52a1-fb52ca 215->221 222 fb52d5-fb52e0 215->222 216->215 221->222 226 fb52e1 222->226 226->226
                                                                              APIs
                                                                              • CreateProcessInternalW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FB51EE
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: CreateInternalProcess
                                                                              • String ID:
                                                                              • API String ID: 2186235152-0
                                                                              • Opcode ID: 4a5503f8afead3041e908a85dc3db53a2162186eb25c8b9b3cb677b74f8789a6
                                                                              • Instruction ID: d1ed59a64949d3b0dc741e6460feada09ab6ba6bb268b8e0b6e9701a9c13ccf2
                                                                              • Opcode Fuzzy Hash: 4a5503f8afead3041e908a85dc3db53a2162186eb25c8b9b3cb677b74f8789a6
                                                                              • Instruction Fuzzy Hash: 6F81EE74C042598FCF25CFA9C880BEEBBB1BF09300F1490AAE949B7250D7749A85DF54

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 227 fb5000-fb508e 229 fb50a2-fb50ad 227->229 230 fb5090-fb509f 227->230 231 fb50af-fb50be 229->231 232 fb50c1-fb50fd 229->232 230->229 231->232 233 fb50ff-fb510e 232->233 234 fb5111-fb5201 CreateProcessInternalW 232->234 233->234 239 fb520a-fb529f 234->239 240 fb5203-fb5209 234->240 245 fb52a1-fb52ca 239->245 246 fb52d5-fb52e0 239->246 240->239 245->246 250 fb52e1 246->250 250->250
                                                                              APIs
                                                                              • CreateProcessInternalW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FB51EE
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: CreateInternalProcess
                                                                              • String ID:
                                                                              • API String ID: 2186235152-0
                                                                              • Opcode ID: ddef02986b29f0a8278883d2753d55dfb6e16fa76e1020379684a7a36a1f9e62
                                                                              • Instruction ID: f332adb9212fc3a26bd5ec1b664bba71204730e370fcde0b387810ecd1ff1370
                                                                              • Opcode Fuzzy Hash: ddef02986b29f0a8278883d2753d55dfb6e16fa76e1020379684a7a36a1f9e62
                                                                              • Instruction Fuzzy Hash: A381BD74D0025D9FCB25CFA9C880BEEBBB1BF09300F1494AAE949B7250D7749A85DF54

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 251 fb14c4-fb1545 254 fb158b-fb1629 CreateFileA 251->254 255 fb1547-fb155b 251->255 259 fb162b-fb1631 254->259 260 fb1632-fb168d 254->260 255->254 258 fb155d-fb1562 255->258 261 fb1585-fb1588 258->261 262 fb1564-fb156e 258->262 259->260 269 fb168f-fb1693 260->269 270 fb169d 260->270 261->254 264 fb1572-fb1581 262->264 265 fb1570 262->265 264->264 268 fb1583 264->268 265->264 268->261 269->270 271 fb1695 269->271 272 fb169e 270->272 271->270 272->272
                                                                              APIs
                                                                              • CreateFileA.KERNELBASE(?,?,?,?,?,?,?), ref: 00FB1619
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: 090480b501d97c9005c73d90d353291a420f513415fe8311e59286f91fef1d0f
                                                                              • Instruction ID: b4e19c6464ca49af4cd95d07f8206359715018fc7475b24fe382e38bdebf9978
                                                                              • Opcode Fuzzy Hash: 090480b501d97c9005c73d90d353291a420f513415fe8311e59286f91fef1d0f
                                                                              • Instruction Fuzzy Hash: A751ECB4D002189FDF20CFAAD884ADEBBB1FF0A310F24916AE819B7250D7749985DF54

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 273 fb14d0-fb1545 275 fb158b-fb1629 CreateFileA 273->275 276 fb1547-fb155b 273->276 280 fb162b-fb1631 275->280 281 fb1632-fb168d 275->281 276->275 279 fb155d-fb1562 276->279 282 fb1585-fb1588 279->282 283 fb1564-fb156e 279->283 280->281 290 fb168f-fb1693 281->290 291 fb169d 281->291 282->275 285 fb1572-fb1581 283->285 286 fb1570 283->286 285->285 289 fb1583 285->289 286->285 289->282 290->291 292 fb1695 290->292 293 fb169e 291->293 292->291 293->293
                                                                              APIs
                                                                              • CreateFileA.KERNELBASE(?,?,?,?,?,?,?), ref: 00FB1619
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: e11a91da0e0f0dd6ec81204ef36f5287e38632e2abddfd11dc84dfc2add061f6
                                                                              • Instruction ID: 5134a48febdd4b0765b0161177726f92111b1fbf5ec20911d5c3e0e737b7723d
                                                                              • Opcode Fuzzy Hash: e11a91da0e0f0dd6ec81204ef36f5287e38632e2abddfd11dc84dfc2add061f6
                                                                              • Instruction Fuzzy Hash: C451C9B4D002189FDF20CFAAD884AEEBBB1FB09314F24912AE819B7350D7749985DF54

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 294 fb16dd-fb1785 297 fb17cb-fb1833 CreateFileMappingA 294->297 298 fb1787-fb179b 294->298 302 fb183c-fb1895 297->302 303 fb1835-fb183b 297->303 298->297 301 fb179d-fb17a2 298->301 304 fb17c5-fb17c8 301->304 305 fb17a4-fb17ae 301->305 312 fb1897-fb189b 302->312 313 fb18a5 302->313 303->302 304->297 308 fb17b2-fb17c1 305->308 309 fb17b0 305->309 308->308 311 fb17c3 308->311 309->308 311->304 312->313 314 fb189d 312->314 315 fb18a6 313->315 314->313 315->315
                                                                              APIs
                                                                              • CreateFileMappingA.KERNEL32(?,?,?,?,?,?), ref: 00FB1823
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFileMapping
                                                                              • String ID:
                                                                              • API String ID: 524692379-0
                                                                              • Opcode ID: a3a6e2377c6482cb07e5ba0bfe7ab680878c05179367982612488b22b98b665d
                                                                              • Instruction ID: 2686eb26426fd2967aa985fc68c8f6aecdbb1d20e6f0a9a52bca56331d7679ce
                                                                              • Opcode Fuzzy Hash: a3a6e2377c6482cb07e5ba0bfe7ab680878c05179367982612488b22b98b665d
                                                                              • Instruction Fuzzy Hash: 8C51CDB4D00258DFDB20CFAAD884ADEBBF1BB09310F20916AE814B7351DB749985DF54

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 316 fb16e8-fb1785 318 fb17cb-fb1833 CreateFileMappingA 316->318 319 fb1787-fb179b 316->319 323 fb183c-fb1895 318->323 324 fb1835-fb183b 318->324 319->318 322 fb179d-fb17a2 319->322 325 fb17c5-fb17c8 322->325 326 fb17a4-fb17ae 322->326 333 fb1897-fb189b 323->333 334 fb18a5 323->334 324->323 325->318 329 fb17b2-fb17c1 326->329 330 fb17b0 326->330 329->329 332 fb17c3 329->332 330->329 332->325 333->334 335 fb189d 333->335 336 fb18a6 334->336 335->334 336->336
                                                                              APIs
                                                                              • CreateFileMappingA.KERNEL32(?,?,?,?,?,?), ref: 00FB1823
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFileMapping
                                                                              • String ID:
                                                                              • API String ID: 524692379-0
                                                                              • Opcode ID: 2c5180ac6f416f243110aff2214ceecb789caa1d06f08acea219b28db216b965
                                                                              • Instruction ID: 32b49476057f09298e7db1bcc3c17152e835aeffbd0ec07b2ce607b8fab0c7a9
                                                                              • Opcode Fuzzy Hash: 2c5180ac6f416f243110aff2214ceecb789caa1d06f08acea219b28db216b965
                                                                              • Instruction Fuzzy Hash: 2051ACB4D00258DFDB20CFAAD884ADEBBF1BB09310F20912AE818B7350DB749985DF55

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 406 fb18e8-fb1930 408 fb1938-fb19ac MapViewOfFile 406->408 409 fb19ae-fb19b4 408->409 410 fb19b5-fb19f7 408->410 409->410
                                                                              APIs
                                                                              • MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 00FB199C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: FileView
                                                                              • String ID:
                                                                              • API String ID: 3314676101-0
                                                                              • Opcode ID: 435e1f49c2825b12d7beb019777da757f0d1237984a28cabe493de30ca27db93
                                                                              • Instruction ID: 9ecbd9c409b474d532e1b3e4ce8115aff45d59e609fb948feb2bb5d020fa015f
                                                                              • Opcode Fuzzy Hash: 435e1f49c2825b12d7beb019777da757f0d1237984a28cabe493de30ca27db93
                                                                              • Instruction Fuzzy Hash: 7E4156B9D002589FCB10CFA9D984A9EFBB1BB1A310F20946AE814B7310D375A945CF64

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 414 fb2eb8-fb2f76 VirtualProtect 417 fb2f78-fb2f7e 414->417 418 fb2f7f-fb2fc7 414->418 417->418
                                                                              APIs
                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00FB2F66
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: ProtectVirtual
                                                                              • String ID:
                                                                              • API String ID: 544645111-0
                                                                              • Opcode ID: de3255c5e6404fe3b60f60dae488948ab9850300296e42e218f4dd662fc24217
                                                                              • Instruction ID: ae08df13dcc32738edd33a5622cd1074ed4a9cdd7161d01d1313833de887bd0f
                                                                              • Opcode Fuzzy Hash: de3255c5e6404fe3b60f60dae488948ab9850300296e42e218f4dd662fc24217
                                                                              • Instruction Fuzzy Hash: 7C4199B9D042589FCB10CFAAD584ADEFBB0BB09310F10906AE814B7310D375A945CF65
                                                                              APIs
                                                                              • MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 00FB199C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: FileView
                                                                              • String ID:
                                                                              • API String ID: 3314676101-0
                                                                              • Opcode ID: d94f45c1013ba8ccd3d4554ef05041b12638f27702518729810b036c3e2a8101
                                                                              • Instruction ID: 5caac9f283f9730a38d121905f6e81f3cf62badaeb1f7deba3889da9d17ebf2a
                                                                              • Opcode Fuzzy Hash: d94f45c1013ba8ccd3d4554ef05041b12638f27702518729810b036c3e2a8101
                                                                              • Instruction Fuzzy Hash: C13155B9D002589FCF10CFA9D984ADEFBB1BB19310F20902AE818B7310D375A945CF64
                                                                              APIs
                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00FB2F66
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: ProtectVirtual
                                                                              • String ID:
                                                                              • API String ID: 544645111-0
                                                                              • Opcode ID: 42670ed6f54f09ad07f641d73338d0aece90a9e1a4e4b414e3415ba69d893508
                                                                              • Instruction ID: eb9205bcba3e922c7118bd7d9ca64732c05d11e55c30d5591edcf80402b47eee
                                                                              • Opcode Fuzzy Hash: 42670ed6f54f09ad07f641d73338d0aece90a9e1a4e4b414e3415ba69d893508
                                                                              • Instruction Fuzzy Hash: 2C4179B9D042589FCB10CFAAD584AEEFBF5BB19310F10906AE814B7310D375A945CF65
                                                                              APIs
                                                                              • K32GetModuleInformation.KERNEL32(?,?,?,?), ref: 00FB1456
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: InformationModule
                                                                              • String ID:
                                                                              • API String ID: 3425974696-0
                                                                              • Opcode ID: 160385456e4342da758c890ba7e307c58b3edf065e18761afe891f970f9a0414
                                                                              • Instruction ID: c99e50f220a6b326c8680fd9965714f062140d231383d9cd1fc258f553c822e6
                                                                              • Opcode Fuzzy Hash: 160385456e4342da758c890ba7e307c58b3edf065e18761afe891f970f9a0414
                                                                              • Instruction Fuzzy Hash: E24199B5D002589FCB10CFAAD584ADEFBF1BB59310F24906AE815B7310D375A945CF64
                                                                              APIs
                                                                              • K32GetModuleInformation.KERNEL32(?,?,?,?), ref: 00FB1456
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1631056349.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_fb0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: InformationModule
                                                                              • String ID:
                                                                              • API String ID: 3425974696-0
                                                                              • Opcode ID: 482eab6f6a3df8d75c35e32fff157e2f5d58a55f90a786161084eba27dbac894
                                                                              • Instruction ID: 2ff506146b640b7920ff93013baba7a3f7de3691011303359240979ee392dcd2
                                                                              • Opcode Fuzzy Hash: 482eab6f6a3df8d75c35e32fff157e2f5d58a55f90a786161084eba27dbac894
                                                                              • Instruction Fuzzy Hash: B33166B9D042589FCB10CFAAD984ADEFBF5BB19310F20906AE814B7310D375AA45CF65

                                                                              Execution Graph

                                                                              Execution Coverage

                                                                              Dynamic/Packed Code Coverage

                                                                              Signature Coverage

                                                                              Execution Coverage:17.5%
                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                              Signature Coverage:0%
                                                                              Total number of Nodes:6
                                                                              Total number of Limit Nodes:0
                                                                              Show Legend
                                                                              Hide Nodes/Edges
                                                                              execution_graph 15419 f32890 15420 f328d1 CloseHandle 15419->15420 15421 f328fe 15420->15421 15422 f327c0 15423 f3280b GetTokenInformation 15422->15423 15424 f3284e 15423->15424

                                                                              Executed Functions

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1688 59c0c28-59c0c7a 1692 59c0c82-59c18ea 1688->1692
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 29f13b1d9514834198137e3e95afdffca7f78513196197d5305430461195cca9
                                                                              • Instruction ID: 5bfb53c27ec6e3a6c6679329019ba6b40fb4c45adf74a30a4221fb15c4fcaf03
                                                                              • Opcode Fuzzy Hash: 29f13b1d9514834198137e3e95afdffca7f78513196197d5305430461195cca9
                                                                              • Instruction Fuzzy Hash: 976253B06002009FDB48DF59C85975ABAE6EFC4308F64C56CD0099F392DBBADD0B9B95

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1851 59c0c38-59c0c7a 1855 59c0c82-59c18ea 1851->1855
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 75992a4c76bea7816a9d6f0dd462e6f742a4c1c36705212765f0fbfe0af6522a
                                                                              • Instruction ID: 7051f5ac9f751b59489580359e282017cdd24818d1b71e2f1ee6d0eefa20ad32
                                                                              • Opcode Fuzzy Hash: 75992a4c76bea7816a9d6f0dd462e6f742a4c1c36705212765f0fbfe0af6522a
                                                                              • Instruction Fuzzy Hash: 096242B06002009FDB48DF59C85975ABAE6EFC4308F64C46CD0099F392DBBADD0B9B95
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: dd0f78b39b7ea140d2dcefd07127e1d4b316c7eb1dfe85e66a103c71d96c9354
                                                                              • Instruction ID: d7167c0be312dc3b1dd7e3734c6fd7a2bdf8b10448e5fe23f569b1788b37e73a
                                                                              • Opcode Fuzzy Hash: dd0f78b39b7ea140d2dcefd07127e1d4b316c7eb1dfe85e66a103c71d96c9354
                                                                              • Instruction Fuzzy Hash: 42F18C31A00249DFDB14DF69D888BAEBBF6FF88300F148569E405AB261DB35DD45CB91
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6116ac9e614385f2367ef94f9e24710d787865862c2e2344bfc82485bf6eb34f
                                                                              • Instruction ID: 4ef813773d8ef3bf140698541c6b159506d1f3d0594eea714c85582aa8a0ad99
                                                                              • Opcode Fuzzy Hash: 6116ac9e614385f2367ef94f9e24710d787865862c2e2344bfc82485bf6eb34f
                                                                              • Instruction Fuzzy Hash: 07E1B470B002058FDB58EB78C8506AEBBB6EFC9310F20856DD406AB395EF74AD46CB51

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 705 f327b8-f32803 706 f3280b-f3284c GetTokenInformation 705->706 707 f32855-f3287d 706->707 708 f3284e-f32854 706->708 708->707
                                                                              APIs
                                                                              • GetTokenInformation.KERNELBASE(?,?,?,?,?), ref: 00F3283F
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1689227681.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_f30000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID: InformationToken
                                                                              • String ID:
                                                                              • API String ID: 4114910276-0
                                                                              • Opcode ID: aa3188868e801a6f22ad0ddcd0c1b5ab4dd0ac852adc6141d2a8cc983d444afb
                                                                              • Instruction ID: 65281e1acbf87221848ddf43c2faacedcc48f72665b7dfccbd25aabdda0fc088
                                                                              • Opcode Fuzzy Hash: aa3188868e801a6f22ad0ddcd0c1b5ab4dd0ac852adc6141d2a8cc983d444afb
                                                                              • Instruction Fuzzy Hash: C321E3B5C012499FCB10CF9AD885ADEBBF5FF48320F10852AE918A7250D3789945CFA1

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 711 f327c0-f3284c GetTokenInformation 713 f32855-f3287d 711->713 714 f3284e-f32854 711->714 714->713
                                                                              APIs
                                                                              • GetTokenInformation.KERNELBASE(?,?,?,?,?), ref: 00F3283F
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1689227681.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_f30000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID: InformationToken
                                                                              • String ID:
                                                                              • API String ID: 4114910276-0
                                                                              • Opcode ID: 73af95b7ba4fa0ba2eee472b77b3d003c70652e73b3e1c10731eca851e168534
                                                                              • Instruction ID: 81a8b8b74d249a4d235154a17636bde7ae6f744c70a72f963c2b164c3a1f4a5b
                                                                              • Opcode Fuzzy Hash: 73af95b7ba4fa0ba2eee472b77b3d003c70652e73b3e1c10731eca851e168534
                                                                              • Instruction Fuzzy Hash: 3721D0B5D002499FCB10CF9AD984ADEBBF5FF48320F10852AE918A7350D778A945CBA5

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1215 f32889-f328fc CloseHandle 1217 f32905-f3292d 1215->1217 1218 f328fe-f32904 1215->1218 1218->1217
                                                                              APIs
                                                                              • CloseHandle.KERNELBASE(?), ref: 00F328EF
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1689227681.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_f30000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandle
                                                                              • String ID:
                                                                              • API String ID: 2962429428-0
                                                                              • Opcode ID: 592d372c1597356777b47cb3b63a9086cb1dedc69bb9680ad4fe9ff4e27bb3cc
                                                                              • Instruction ID: 4efefc6270d430aff004327f02ce6e574f6a4eef812b92defbcbf5cb6bce3c89
                                                                              • Opcode Fuzzy Hash: 592d372c1597356777b47cb3b63a9086cb1dedc69bb9680ad4fe9ff4e27bb3cc
                                                                              • Instruction Fuzzy Hash: 2B1146B58002498FCB10CFAAD444BEEBFF0AF48320F24845AD458A7241D778A944CFA1

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1221 f32890-f328fc CloseHandle 1223 f32905-f3292d 1221->1223 1224 f328fe-f32904 1221->1224 1224->1223
                                                                              APIs
                                                                              • CloseHandle.KERNELBASE(?), ref: 00F328EF
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1689227681.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_f30000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandle
                                                                              • String ID:
                                                                              • API String ID: 2962429428-0
                                                                              • Opcode ID: 30b6d3b7098eb6a68f5882a51399f2f278f4a09f73b1239c5b5e7a2884d3c6a8
                                                                              • Instruction ID: cf81c811f7d7a53df79e1c7954a0447624a0dae9b49cfcac0541167df90c5632
                                                                              • Opcode Fuzzy Hash: 30b6d3b7098eb6a68f5882a51399f2f278f4a09f73b1239c5b5e7a2884d3c6a8
                                                                              • Instruction Fuzzy Hash: 9C1122B18002498FCB20DF9AD545BEEBBF4EF88320F20846AD518A7340D778A944CFA5

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1246 59c38b4-59c3ac9 1282 59c3ad3-59c3df5 1246->1282 1332 59c4328-59c4335 1282->1332 1333 59c3dfb-59c3e07 1282->1333 1334 59c3e0d-59c4280 1333->1334 1335 59c433f-59c4377 1333->1335 1444 59c42fb-59c4322 1334->1444 1445 59c4282-59c4294 1334->1445 1341 59c4379-59c4383 1335->1341 1342 59c4385 1335->1342 1344 59c438a-59c438c 1341->1344 1342->1344 1345 59c438e-59c43a5 1344->1345 1346 59c43a7-59c43a9 1344->1346 1345->1346 1348 59c43ab-59c43b5 1346->1348 1349 59c43b7 1346->1349 1352 59c43bc-59c43be 1348->1352 1349->1352 1353 59c43f7-59c43fb 1352->1353 1354 59c43c0-59c43c9 1352->1354 1359 59c43cb-59c43cf 1354->1359 1360 59c43d0-59c43e3 1354->1360 1363 59c43fc-59c44ef 1360->1363 1364 59c43e5-59c43f6 1360->1364 1377 59c44f1 1363->1377 1378 59c44f3-59c4502 1363->1378 1377->1378 1379 59c4503-59c4520 1377->1379 1388 59c4522-59c455a 1379->1388 1389 59c4583 1379->1389 1389->1389 1444->1332 1444->1333 1448 59c42ea-59c42f9 1445->1448 1449 59c4296-59c42ac 1445->1449 1448->1444 1448->1445 1449->1448 1453 59c42ae-59c42e3 1449->1453 1453->1448
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0169c82a2b4151b06a725abbed25432b20c9b74fcff3f320b852ebd42bec3116
                                                                              • Instruction ID: 520a63b460b3de9e31d640fd7bee6a543be62e355861e356a1fb23734392cbee
                                                                              • Opcode Fuzzy Hash: 0169c82a2b4151b06a725abbed25432b20c9b74fcff3f320b852ebd42bec3116
                                                                              • Instruction Fuzzy Hash: FA62D374F021059FEB58EB68D8A176EB7B6FBCD310F50846AD409E778ACE345C029B51

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1458 59c2558-59c25c1 1686 59c25c3 call 59c33c8 1458->1686 1687 59c25c3 call 59c3401 1458->1687 1466 59c25c9-59c25ef 1469 59c278d-59c27af 1466->1469 1470 59c25f5-59c2617 1466->1470 1475 59c27b5-59c28a5 1469->1475 1476 59c2910-59c2932 1469->1476 1470->1469 1477 59c261d-59c263f 1470->1477 1570 59c28ab-59c28c5 1475->1570 1571 59c30c5-59c30ca 1475->1571 1484 59c2938-59c2aa5 1476->1484 1485 59c2aaa-59c2acc 1476->1485 1477->1469 1486 59c2645-59c2788 1477->1486 1629 59c3161-59c3168 1484->1629 1495 59c2ace-59c2af0 1485->1495 1496 59c2af6-59c2c63 1485->1496 1486->1629 1495->1496 1509 59c2c68-59c2c8a 1495->1509 1496->1629 1521 59c2c90-59c2d8c 1509->1521 1522 59c2d91-59c2db3 1509->1522 1521->1629 1538 59c2db9-59c2f26 1522->1538 1539 59c2f2b-59c2f4d 1522->1539 1538->1629 1556 59c30cf-59c3160 1539->1556 1557 59c2f53-59c30c0 1539->1557 1557->1629 1570->1571 1585 59c28cb-59c290b 1570->1585 1571->1556 1585->1629 1686->1466 1687->1466
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a73fc0bf5ade78bc4a5a2754de8decfc9d889ce65925d67ec2b247d714ef912b
                                                                              • Instruction ID: 00579ed74562fb9036a5ff74440a1d59ac6b4dd6d8cc1dba30d4bf7df403d174
                                                                              • Opcode Fuzzy Hash: a73fc0bf5ade78bc4a5a2754de8decfc9d889ce65925d67ec2b247d714ef912b
                                                                              • Instruction Fuzzy Hash: 75424174B01214ABEB54A67DCC2472F79AFEFE9720F108029A805E77D9CD6C9C0297A5
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ab5732a39205b533d9a4b024e1d80c3087999dbac29031987f75021d497516df
                                                                              • Instruction ID: 530587b81769f8075b81330e591610c569a4a0e8a95a8c2d022aa8e22e987101
                                                                              • Opcode Fuzzy Hash: ab5732a39205b533d9a4b024e1d80c3087999dbac29031987f75021d497516df
                                                                              • Instruction Fuzzy Hash: 44814470F012029BDB54EB78D95076EB6E6EB8D310F618479D905E7789EE34EC02CB61
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ecf6be4e2d7873aa3110bbdb61f6c7283fc1f8103c3ff44392bdeb34ee99d4d2
                                                                              • Instruction ID: 770007039a02bfdad5b66ef875764f2ed4a11075bd174d21dca575f795941bda
                                                                              • Opcode Fuzzy Hash: ecf6be4e2d7873aa3110bbdb61f6c7283fc1f8103c3ff44392bdeb34ee99d4d2
                                                                              • Instruction Fuzzy Hash: 1071D174701201AFDB18EB28C891B3FBBA7EFD4300F518469D9059B799DB38BC029795
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8dd4230d7dcf70a6913949170be43b12d9496f61c570c91139bb55262cef7599
                                                                              • Instruction ID: 408e49f30cdb1ee3d56103ae9f627d4994cdd69d84995d83159b08aa4b0da6a7
                                                                              • Opcode Fuzzy Hash: 8dd4230d7dcf70a6913949170be43b12d9496f61c570c91139bb55262cef7599
                                                                              • Instruction Fuzzy Hash: B471BF74701201AFDB18EB68C891B3FBBA7EFD4300F118469D9459B799DB38BC029795
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6fd294c43a420356de9132c200aa18c1a73fe135e0ef7c489b16f61a2d983a57
                                                                              • Instruction ID: 4190ab1c70b94d4d58656da7ef3ea1e844ecd01a41233798fdba11c3deec60cf
                                                                              • Opcode Fuzzy Hash: 6fd294c43a420356de9132c200aa18c1a73fe135e0ef7c489b16f61a2d983a57
                                                                              • Instruction Fuzzy Hash: 01518E74B012049FEB14A7B9D85476F7AEBEFA9710F104029E80AE73C5DE389C028795
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 23863ffdb92f56c23059787d4a867991cf5dd33c4ca22cf23359012f7f7c9cd7
                                                                              • Instruction ID: ee11743aabdd4d949bd7a23c4d5e68c4a185e327930b376144bf9d387fee3e3d
                                                                              • Opcode Fuzzy Hash: 23863ffdb92f56c23059787d4a867991cf5dd33c4ca22cf23359012f7f7c9cd7
                                                                              • Instruction Fuzzy Hash: 095147B0E00318CFCB14CFA9D985BAEBBF9BF88310F14812AE415A7255DB749841CF95
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e0f9c2cae52d4ea73c1bd22285d37537dc585a5e2566e15e17a330369e6f74c1
                                                                              • Instruction ID: 126ba3eec3f545f38a927d735a83d05c1791d4cd9e24fabe6b1cd8aa102f19e7
                                                                              • Opcode Fuzzy Hash: e0f9c2cae52d4ea73c1bd22285d37537dc585a5e2566e15e17a330369e6f74c1
                                                                              • Instruction Fuzzy Hash: 5C5146B0E002189FDB14CFA9D985B9EBBF9BF88300F14812AE405A7295EB749841CF95
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ba2257134ff1d25c5b1e39725effba7148d459dadd276ab602921ac7fd6be5e4
                                                                              • Instruction ID: 6a220b5ffbf81b6281b986a976ad641e0fcab987767655d8bdd3093a7391dea3
                                                                              • Opcode Fuzzy Hash: ba2257134ff1d25c5b1e39725effba7148d459dadd276ab602921ac7fd6be5e4
                                                                              • Instruction Fuzzy Hash: 305169B1E002599FCB14CFA9D9416AEBFF5BF88700F10C96ED419A7244D7349842CF91
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 76b4c29a9bb087ee699cd281c7ed28d021753b110726bbead567f141fed139b0
                                                                              • Instruction ID: e3de8e6877f4ed5bb959dd1526f5f0f91c27d13aa979bd9e5a996f86d897e2e2
                                                                              • Opcode Fuzzy Hash: 76b4c29a9bb087ee699cd281c7ed28d021753b110726bbead567f141fed139b0
                                                                              • Instruction Fuzzy Hash: C64146B0E002999FDB14CFA9D9817AEBFF5BB48700F10C92AE419E7254D7789846CB91
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 10b822be6c66b234abcec58e0132ef4deceb927ffa668f64fb160c18a11164ae
                                                                              • Instruction ID: 94a0b30bd8444eef3038f698996f34bb846fe4a90055f58e7282cdf9b19ad57e
                                                                              • Opcode Fuzzy Hash: 10b822be6c66b234abcec58e0132ef4deceb927ffa668f64fb160c18a11164ae
                                                                              • Instruction Fuzzy Hash: 9F31FB31B012468FDB14E778C9516AEBBB6EF85310F20496DD405A72C1FF75AE06C7A2
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5adfd70149621448a64829bd68f3aab67142cd3db92027a5bd7f27ddaa9a38ea
                                                                              • Instruction ID: 969ccb289437530cb48e572c8562bdc84fefa2f3b4d97f6cbe0ba95738cb9113
                                                                              • Opcode Fuzzy Hash: 5adfd70149621448a64829bd68f3aab67142cd3db92027a5bd7f27ddaa9a38ea
                                                                              • Instruction Fuzzy Hash: 8D41F2B5D012489FCF14CFAAD944ADEBFB6AF88310F10806AE405B7254DB35A945CF91
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 47fc2d30d717ac97dbb5e2bea5e27663822e32563baadfc9143ec66f2bdfa310
                                                                              • Instruction ID: 42fa169e1df60072a1a794a88ea33ccb101468900fa2a99797258dcaff93d3c9
                                                                              • Opcode Fuzzy Hash: 47fc2d30d717ac97dbb5e2bea5e27663822e32563baadfc9143ec66f2bdfa310
                                                                              • Instruction Fuzzy Hash: 91314071D0474A9FCB15CFA4C4546DEFBB2BF89300F10895AE816BB304DB70A98ACB51
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ac06f2487fc66a02f7ffc07d9484e2af3e1a86bc38a186b7d771462203a1d568
                                                                              • Instruction ID: bdc0814cd63263e1a1c042247ce6420e5e0ad9530b5259c00b1f871ed0021ca3
                                                                              • Opcode Fuzzy Hash: ac06f2487fc66a02f7ffc07d9484e2af3e1a86bc38a186b7d771462203a1d568
                                                                              • Instruction Fuzzy Hash: 3F314F71E0474A9BCB19CFA1C4541DEFBB2BF89300F10895AE915BB304DB70A98ACB51
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3d6dd10e3c1aa81811f3af65ea9301826c36b048d28282a12a287a817cacbd6c
                                                                              • Instruction ID: 0196c398828051002ed3ea6fe6abd6ce263d6594ed1a9e4b4d4233e38c73cacf
                                                                              • Opcode Fuzzy Hash: 3d6dd10e3c1aa81811f3af65ea9301826c36b048d28282a12a287a817cacbd6c
                                                                              • Instruction Fuzzy Hash: 423112B0D012489FDB14CFAAD994ADEBFFAAF88300F14806AE445B7254DB349945CF51
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 84a3a2c523f617757bf6aef2bc5c0ea662af785989214e69977a2c09562e8da0
                                                                              • Instruction ID: d1f97337bbfbc6063508b29b2efadb8528dde1055647004070277530e3a7f5c7
                                                                              • Opcode Fuzzy Hash: 84a3a2c523f617757bf6aef2bc5c0ea662af785989214e69977a2c09562e8da0
                                                                              • Instruction Fuzzy Hash: 0F3103B5D012489FCB14CFA9D984ADEBFF5AF48310F24846AE405B7240C779A905CBA1
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e075d30838879203132242b9873c624523bceffe1f77665b693cbf557a7ba353
                                                                              • Instruction ID: ba71216cb8d1734461f14b33254163d7bcff96566d151e5f94231b7883a5a0a0
                                                                              • Opcode Fuzzy Hash: e075d30838879203132242b9873c624523bceffe1f77665b693cbf557a7ba353
                                                                              • Instruction Fuzzy Hash: 3B21F0B5D012489FDB14CFAAD995BDEBFF9AF48300F24886AE005B7340D7799945CBA0
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 650279f46ad7e8e04d6cd030fdd73de8d427d900c33e2ead4486c5b7fef9068b
                                                                              • Instruction ID: 26d12ab3ac7e638968e9f5e80e075528edc8a6f04025277870ad33cf3b195ec2
                                                                              • Opcode Fuzzy Hash: 650279f46ad7e8e04d6cd030fdd73de8d427d900c33e2ead4486c5b7fef9068b
                                                                              • Instruction Fuzzy Hash: D7214C71E0470A8FDB14CF90C5546AEBBB2BF88300F20885DD806BB744DB74A989CB91
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1c69141554fbdee1746e6cbc29f54df6b5459ed158fffd1bbe268a352588e0c1
                                                                              • Instruction ID: 91f051d4263a8a222d97df6d3997b7c2fbed51f3ef6aaae7c8456090a399cae2
                                                                              • Opcode Fuzzy Hash: 1c69141554fbdee1746e6cbc29f54df6b5459ed158fffd1bbe268a352588e0c1
                                                                              • Instruction Fuzzy Hash: 1511C635F012149FDF60EF68D95567EBBFAEB89311F100469D80AE3345DA389D018B91
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2cf0887ee9a09cea3d9617e88212d5fe13d30ebc28c7026adf9fb54aa69767e5
                                                                              • Instruction ID: e84e0e63021c677d5a3829634201ef50f7c5b026535764c08a8d319aa3286cf8
                                                                              • Opcode Fuzzy Hash: 2cf0887ee9a09cea3d9617e88212d5fe13d30ebc28c7026adf9fb54aa69767e5
                                                                              • Instruction Fuzzy Hash: 2D0117317002048FC714DF2DD888E1AFBFAFF98220B1585AAE506CB362DB71EC018B90
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 93a95d64ca5cb0cb0dab44972928fc91384d11f07b0eb1565667f8b61d4cc122
                                                                              • Instruction ID: 6ca62329c99c6a28bec49516336cd8226972e57d63eb93650f0767060250721a
                                                                              • Opcode Fuzzy Hash: 93a95d64ca5cb0cb0dab44972928fc91384d11f07b0eb1565667f8b61d4cc122
                                                                              • Instruction Fuzzy Hash: E40117716002059FC714DF29D888E5ABBFAFF99220B1585AAE506CB362D771EC018B90
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690550285.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_5b00000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b58fe64997e643e7edc7fd7054a12a8af71995b2a7e6abfad6dbb9a20ffbee89
                                                                              • Instruction ID: 1d5e35b2987f352fcf049685b86d94d6caa53c0ae95aea18715b0a94a87ee972
                                                                              • Opcode Fuzzy Hash: b58fe64997e643e7edc7fd7054a12a8af71995b2a7e6abfad6dbb9a20ffbee89
                                                                              • Instruction Fuzzy Hash: 47F0A47630411947CB14A2AEA41457AFB9BDFD5221764C07FDA46C7390DD71D85282A0
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690550285.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_5b00000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b58fe64997e643e7edc7fd7054a12a8af71995b2a7e6abfad6dbb9a20ffbee89
                                                                              • Instruction ID: 95fdf4ce57054ddf289594d24d6d20cff8d995db33f0ff880b71946f0448917c
                                                                              • Opcode Fuzzy Hash: b58fe64997e643e7edc7fd7054a12a8af71995b2a7e6abfad6dbb9a20ffbee89
                                                                              • Instruction Fuzzy Hash: 03F0C23630411947CB14A2AEA41467BFBDBDFD6321B54C07FD68AC7380ED72E84283A0
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690550285.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_5b00000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 754785631cf12edad46a9104adc9d16093908552a81ea8058eb9896b13f6c471
                                                                              • Instruction ID: dfc8059bb438df74f365673b3f03c95820b307ae718923409a052ec0e2504ccb
                                                                              • Opcode Fuzzy Hash: 754785631cf12edad46a9104adc9d16093908552a81ea8058eb9896b13f6c471
                                                                              • Instruction Fuzzy Hash: 5E012456A0E3C04FC703537489286957F718EA3110B2F85EBC0D5DB1E7E9284C09CBB2
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a7a1e14777e124992587c0a0f4889b83996a6fcce9c8366fbb26bcdace22ae3c
                                                                              • Instruction ID: 0e8f405d7a83d0a6483cab0076f6b55d5fe493ede65cca63050e40f46a91df38
                                                                              • Opcode Fuzzy Hash: a7a1e14777e124992587c0a0f4889b83996a6fcce9c8366fbb26bcdace22ae3c
                                                                              • Instruction Fuzzy Hash: 5CF06D70F012129BEB14F7B8E824A2EB6B3DBDA321F1088A5D905AB3D5DE389C01C711
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 117ab91425b82670360fd4b1129e079d20703b40517df1e0f21f0325b666f530
                                                                              • Instruction ID: 977a9fdce0d9d6700c9ebeb3b3c2a669f3b144f47f13a6f0a98403c8a9f343fc
                                                                              • Opcode Fuzzy Hash: 117ab91425b82670360fd4b1129e079d20703b40517df1e0f21f0325b666f530
                                                                              • Instruction Fuzzy Hash: 57F0E935300200ABD7308A29DC06F9A7BE9EB84B14F04C266F614CB2D2D7B1E8428744
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 39b5f67a4f9c5d24647a5f557c0d2dddfb7bb27b1822191fe080830515dd62b1
                                                                              • Instruction ID: 6271089ffc36d642af3b5ab55fc4bc2a321d0d3173111b4c073db339cb4c41ba
                                                                              • Opcode Fuzzy Hash: 39b5f67a4f9c5d24647a5f557c0d2dddfb7bb27b1822191fe080830515dd62b1
                                                                              • Instruction Fuzzy Hash: 17E0EDB5D012199FCB80DFADD9422DEBBF4EE09650B1085AAE959E3351D7305B01CBC1
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690550285.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_5b00000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a8a9a460fdd0a9349063bd47d4e6e485824bdf84d2faafc82582dd553860ef04
                                                                              • Instruction ID: 2c94dc5fb0589395fd034f536499d19afdf2fb650a9f6f70407eaf2d5f2b349e
                                                                              • Opcode Fuzzy Hash: a8a9a460fdd0a9349063bd47d4e6e485824bdf84d2faafc82582dd553860ef04
                                                                              • Instruction Fuzzy Hash: 29E0925660E3C40FC70763655928BA6AF754F93011B0E80F7D585CB2A3E924AC498372
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cf2bd6a4f025a7ace7be7c8a2511eb99c4cc0b2832b415b604f3a7adc55b61d6
                                                                              • Instruction ID: cdc26a65eabb1246c767b9bb569837ce8a8fe09d4274180563b459e3edbdb1ce
                                                                              • Opcode Fuzzy Hash: cf2bd6a4f025a7ace7be7c8a2511eb99c4cc0b2832b415b604f3a7adc55b61d6
                                                                              • Instruction Fuzzy Hash: 0BD0C2302491804FC706073858106AA7F644F4B205F1901FDC8894F297C9528C018B40
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4e474f0a2c3346a19c3d1fcb6cdc9a7c565fd22648142982ca57c83cbf9d692d
                                                                              • Instruction ID: 629158adac6a842b14c9f67719ca991cbe26100d4cf4040a36052757165820a4
                                                                              • Opcode Fuzzy Hash: 4e474f0a2c3346a19c3d1fcb6cdc9a7c565fd22648142982ca57c83cbf9d692d
                                                                              • Instruction Fuzzy Hash: CFC0123130061457C7095A69980166AB79D9B8A755F114179D5098B351DE63DC028BC0
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1690511315.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_59c0000_MSBuild.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f1bd6ca50eac61a345a3f6c7a30ac1fd1c7ec7ae3cba59d9e4327a7647d0f07f
                                                                              • Instruction ID: 12b55eb4ac4b92079899c625218193d54bf872eed41d9ad136d1af61ea8560db
                                                                              • Opcode Fuzzy Hash: f1bd6ca50eac61a345a3f6c7a30ac1fd1c7ec7ae3cba59d9e4327a7647d0f07f
                                                                              • Instruction Fuzzy Hash: 4CA0017AA4001EAB8E105A99B80A2DCBB24E68527BB4400A2E719934109A31126A8B91