Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ STS3780082024.exe

Overview

General Information

Sample name:RFQ STS3780082024.exe
Analysis ID:1500397
MD5:9a057309180e58b6f230abfddd69d641
SHA1:fdd107e8261be425264c7863b07cdbaec37a23cf
SHA256:f758dbb63208445f8ed1f1d8bb648759ba6f1b8116b6ecd2ef996f8be008128b
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RFQ STS3780082024.exe (PID: 7316 cmdline: "C:\Users\user\Desktop\RFQ STS3780082024.exe" MD5: 9A057309180E58B6F230ABFDDD69D641)
    • powershell.exe (PID: 7508 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 7516 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
    • MSBuild.exe (PID: 7532 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2ed23:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x16f62:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000005.00000002.1758552750.0000000000CB0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.1758552750.0000000000CB0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bc30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13e6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      Process Memory Space: RFQ STS3780082024.exe PID: 7316JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.MSBuild.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          5.2.MSBuild.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2ed23:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16f62:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          5.2.MSBuild.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            5.2.MSBuild.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2df23:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16162:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ STS3780082024.exe", ParentImage: C:\Users\user\Desktop\RFQ STS3780082024.exe, ParentProcessId: 7316, ParentProcessName: RFQ STS3780082024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe", ProcessId: 7508, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ STS3780082024.exe", ParentImage: C:\Users\user\Desktop\RFQ STS3780082024.exe, ParentProcessId: 7316, ParentProcessName: RFQ STS3780082024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe", ProcessId: 7508, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ STS3780082024.exe", ParentImage: C:\Users\user\Desktop\RFQ STS3780082024.exe, ParentProcessId: 7316, ParentProcessName: RFQ STS3780082024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe", ProcessId: 7508, ProcessName: powershell.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: RFQ STS3780082024.exeReversingLabs: Detection: 50%
            Source: RFQ STS3780082024.exeVirustotal: Detection: 62%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1758552750.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: RFQ STS3780082024.exeJoe Sandbox ML: detected
            Source: RFQ STS3780082024.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: RFQ STS3780082024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeCode function: 4x nop then jmp 06F3AA34h0_2_06F3A0D6
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: RFQ STS3780082024.exe, 00000000.00000002.1698168982.000000000282A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: RFQ STS3780082024.exeString found in binary or memory: http://tempuri.org/tt.xsd;VP_Lab_6.Properties.Resources
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp, RFQ STS3780082024.exe, 00000000.00000002.1700223321.00000000051F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1758552750.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.1758552750.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: RFQ STS3780082024.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0042C003 NtClose,5_2_0042C003
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_01232DF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_01232C70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012335C0 NtCreateMutant,LdrInitializeThunk,5_2_012335C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01234340 NtSetContextThread,5_2_01234340
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01234650 NtSuspendThread,5_2_01234650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232B60 NtClose,5_2_01232B60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232BA0 NtEnumerateValueKey,5_2_01232BA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232B80 NtQueryInformationFile,5_2_01232B80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232BE0 NtQueryValueKey,5_2_01232BE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232BF0 NtAllocateVirtualMemory,5_2_01232BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232AB0 NtWaitForSingleObject,5_2_01232AB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232AF0 NtWriteFile,5_2_01232AF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232AD0 NtReadFile,5_2_01232AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232D30 NtUnmapViewOfSection,5_2_01232D30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232D00 NtSetInformationFile,5_2_01232D00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232D10 NtMapViewOfSection,5_2_01232D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232DB0 NtEnumerateKey,5_2_01232DB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232DD0 NtDelayExecution,5_2_01232DD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232C00 NtQueryInformationProcess,5_2_01232C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232C60 NtCreateKey,5_2_01232C60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232CA0 NtQueryInformationToken,5_2_01232CA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232CF0 NtOpenProcess,5_2_01232CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232CC0 NtQueryVirtualMemory,5_2_01232CC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232F30 NtCreateSection,5_2_01232F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232F60 NtCreateProcessEx,5_2_01232F60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232FA0 NtQuerySection,5_2_01232FA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232FB0 NtResumeThread,5_2_01232FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232F90 NtProtectVirtualMemory,5_2_01232F90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232FE0 NtCreateFile,5_2_01232FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232E30 NtWriteVirtualMemory,5_2_01232E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232EA0 NtAdjustPrivilegesToken,5_2_01232EA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232E80 NtReadVirtualMemory,5_2_01232E80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232EE0 NtQueueApcThread,5_2_01232EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01233010 NtOpenDirectoryObject,5_2_01233010
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01233090 NtSetValueKey,5_2_01233090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012339B0 NtGetContextThread,5_2_012339B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01233D10 NtOpenProcessToken,5_2_01233D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01233D70 NtOpenThread,5_2_01233D70
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeCode function: 0_2_027BE0E40_2_027BE0E4
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeCode function: 0_2_06F321D00_2_06F321D0
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeCode function: 0_2_06F376D80_2_06F376D8
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeCode function: 0_2_06F376C90_2_06F376C9
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeCode function: 0_2_06F356280_2_06F35628
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeCode function: 0_2_06F36CD00_2_06F36CD0
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeCode function: 0_2_06F34DB80_2_06F34DB8
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeCode function: 0_2_06F34D7C0_2_06F34D7C
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeCode function: 0_2_06F3C3800_2_06F3C380
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeCode function: 0_2_06F351F00_2_06F351F0
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeCode function: 0_2_06F351E00_2_06F351E0
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeCode function: 0_2_06F321C00_2_06F321C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_004010005_2_00401000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0040292E5_2_0040292E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_004029305_2_00402930
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0040F98A5_2_0040F98A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0040F9935_2_0040F993
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_004162D05_2_004162D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_004162D35_2_004162D3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0040228B5_2_0040228B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_004022905_2_00402290
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0040FBB35_2_0040FBB3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0040DC335_2_0040DC33
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_004025905_2_00402590
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0042E6135_2_0042E613
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00402E205_2_00402E20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F01005_2_011F0100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129A1185_2_0129A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012881585_2_01288158
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C01AA5_2_012C01AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012B41A25_2_012B41A2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012B81CC5_2_012B81CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012920005_2_01292000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012BA3525_2_012BA352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C03E65_2_012C03E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0120E3F05_2_0120E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012A02745_2_012A0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012802C05_2_012802C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012005355_2_01200535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C05915_2_012C0591
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012A44205_2_012A4420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012B24465_2_012B2446
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012AE4F65_2_012AE4F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012007705_2_01200770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012247505_2_01224750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FC7C05_2_011FC7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121C6E05_2_0121C6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012169625_2_01216962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012029A05_2_012029A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012CA9A65_2_012CA9A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0120A8405_2_0120A840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012028405_2_01202840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E68B85_2_011E68B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122E8F05_2_0122E8F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012BAB405_2_012BAB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012B6BD75_2_012B6BD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FEA805_2_011FEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0120AD005_2_0120AD00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129CD1F5_2_0129CD1F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01218DBF5_2_01218DBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FADE05_2_011FADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200C005_2_01200C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012A0CB55_2_012A0CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F0CF25_2_011F0CF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01242F285_2_01242F28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01220F305_2_01220F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012A2F305_2_012A2F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01274F405_2_01274F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127EFA05_2_0127EFA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F2FC85_2_011F2FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012BEE265_2_012BEE26
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200E595_2_01200E59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01212E905_2_01212E90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012BCE935_2_012BCE93
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012BEEDB5_2_012BEEDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012CB16B5_2_012CB16B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0123516C5_2_0123516C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011EF1725_2_011EF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0120B1B05_2_0120B1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012B70E95_2_012B70E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012BF0E05_2_012BF0E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012070C05_2_012070C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012AF0CC5_2_012AF0CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012B132D5_2_012B132D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011ED34C5_2_011ED34C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0124739A5_2_0124739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012052A05_2_012052A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012A12ED5_2_012A12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121B2C05_2_0121B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012B75715_2_012B7571
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129D5B05_2_0129D5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C95C35_2_012C95C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012BF43F5_2_012BF43F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F14605_2_011F1460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012BF7B05_2_012BF7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012456305_2_01245630
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012B16CC5_2_012B16CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012959105_2_01295910
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012099505_2_01209950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121B9505_2_0121B950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126D8005_2_0126D800
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012038E05_2_012038E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012BFB765_2_012BFB76
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121FB805_2_0121FB80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01275BF05_2_01275BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0123DBF95_2_0123DBF9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01273A6C5_2_01273A6C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012BFA495_2_012BFA49
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012B7A465_2_012B7A46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01245AA05_2_01245AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129DAAC5_2_0129DAAC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012A1AA35_2_012A1AA3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012ADAC65_2_012ADAC6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012B7D735_2_012B7D73
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01203D405_2_01203D40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012B1D5A5_2_012B1D5A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121FDC05_2_0121FDC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01279C325_2_01279C32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012BFCF25_2_012BFCF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012BFF095_2_012BFF09
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012BFFB15_2_012BFFB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01201F925_2_01201F92
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C3FD55_2_011C3FD5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C3FD25_2_011C3FD2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01209EB05_2_01209EB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 01247E54 appears 108 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 0127F290 appears 105 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 011EB970 appears 265 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 0126EA12 appears 86 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 01235130 appears 58 times
            Source: RFQ STS3780082024.exe, 00000000.00000002.1698605704.0000000003897000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs RFQ STS3780082024.exe
            Source: RFQ STS3780082024.exe, 00000000.00000002.1701092052.0000000006E80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs RFQ STS3780082024.exe
            Source: RFQ STS3780082024.exe, 00000000.00000000.1643859543.00000000004C2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBpCj.exe6 vs RFQ STS3780082024.exe
            Source: RFQ STS3780082024.exe, 00000000.00000002.1700250671.00000000052A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs RFQ STS3780082024.exe
            Source: RFQ STS3780082024.exe, 00000000.00000002.1696339255.00000000009CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ STS3780082024.exe
            Source: RFQ STS3780082024.exe, 00000000.00000002.1698605704.00000000037F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs RFQ STS3780082024.exe
            Source: RFQ STS3780082024.exeBinary or memory string: OriginalFilenameBpCj.exe6 vs RFQ STS3780082024.exe
            Source: RFQ STS3780082024.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.1758552750.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: RFQ STS3780082024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, b75OHExKKCmLTZp12S.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, b75OHExKKCmLTZp12S.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, oHURga50K82imqYymd.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, oHURga50K82imqYymd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, oHURga50K82imqYymd.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, b75OHExKKCmLTZp12S.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, oHURga50K82imqYymd.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, oHURga50K82imqYymd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, oHURga50K82imqYymd.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, oHURga50K82imqYymd.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, oHURga50K82imqYymd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, oHURga50K82imqYymd.csSecurity API names: _0020.AddAccessRule
            Source: classification engineClassification label: mal100.troj.evad.winEXE@8/6@0/0
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ STS3780082024.exe.logJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeMutant created: \Sessions\1\BaseNamedObjects\DjyZLedjLNbHnESeUkdoDHNOD
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aj4revyi.lf2.ps1Jump to behavior
            Source: RFQ STS3780082024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: RFQ STS3780082024.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: RFQ STS3780082024.exeReversingLabs: Detection: 50%
            Source: RFQ STS3780082024.exeVirustotal: Detection: 62%
            Source: unknownProcess created: C:\Users\user\Desktop\RFQ STS3780082024.exe "C:\Users\user\Desktop\RFQ STS3780082024.exe"
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe"
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe"Jump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: RFQ STS3780082024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: RFQ STS3780082024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, oHURga50K82imqYymd.cs.Net Code: R4f8I39MJA System.Reflection.Assembly.Load(byte[])
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, oHURga50K82imqYymd.cs.Net Code: R4f8I39MJA System.Reflection.Assembly.Load(byte[])
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, oHURga50K82imqYymd.cs.Net Code: R4f8I39MJA System.Reflection.Assembly.Load(byte[])
            Source: 0.2.RFQ STS3780082024.exe.52a0000.3.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
            Source: 0.2.RFQ STS3780082024.exe.3812250.1.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeCode function: 0_2_06F30006 push es; retf 0_2_06F3001C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_004030F0 push eax; ret 5_2_004030F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_004220F2 push ss; retn 0000h5_2_004220FA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00423134 push esp; iretd 5_2_00423135
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0041A265 pushfd ; retf 5_2_0041A26C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_004132CA push edx; retf 5_2_004132CE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0041CB52 push es; retf 5_2_0041CB53
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0041CBD6 pushfd ; retf 5_2_0041CBD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0041ED9D push ebp; iretd 5_2_0041ED9E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C225F pushad ; ret 5_2_011C27F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C27FA pushad ; ret 5_2_011C27F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F09AD push ecx; mov dword ptr [esp], ecx5_2_011F09B6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011C283D push eax; iretd 5_2_011C2858
            Source: RFQ STS3780082024.exeStatic PE information: section name: .text entropy: 7.771271485735661
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, BwMyEtOMEZLZYAjRrQ.csHigh entropy of concatenated method names: 'QOIXviPese', 'zD7XycAovT', 'MH9XInxAxv', 'pnHXVdKFSE', 'vZ0XwMdeBS', 'oKdX0sim2c', 'gwyXSauUhd', 'ceXXxGjhoU', 'a16XZeLSya', 'g7XXJoXsVp'
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, AocHb1ZAB5KCyGZCof.csHigh entropy of concatenated method names: 'OnQCVliLw1', 'stMC0sX34S', 'qsaCx7RHcR', 'lSxCZkp3Yi', 'rGZCqJv7MP', 'STsCRcNBAR', 'SA6C6ydHO4', 'G1qCsfKqiR', 'a3UCpn58Uj', 'bB1CYa7JCw'
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, b75OHExKKCmLTZp12S.csHigh entropy of concatenated method names: 'nqFclMjCTM', 'An8cD75oqS', 'eavcQN8GhY', 'OJncoPxDb1', 'AbFcH01LPk', 'cK2c2yGQa5', 'YQKc415PaR', 'jLUcMwO5Tc', 'aHfc1w1FYm', 'PrWcP7USly'
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, bGIP4VPhgee4XJbWYW.csHigh entropy of concatenated method names: 'hCWpiOjgtk', 'Jo9pW8SSPK', 'kQ9p8Z71ox', 'AX1pGS9Vqm', 'R0apcBdnFT', 'V3vpbGBxSO', 'OPYpFlm4Bq', 'jeMs4qGKB4', 'y75sMbgast', 'uJns16vRqM'
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, nDXOKo1yIbNE6rsG63.csHigh entropy of concatenated method names: 'ATQsBAEcCs', 'gfesULGWWR', 'vD2sa6mqAR', 'g2nsrVh99B', 'radslXh4MW', 'nEUsNgW7xp', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, ECXidh2Ok4EYkVxfJM.csHigh entropy of concatenated method names: 'mVG6MeMqa1', 'wS36PHsUuM', 'XHmsd5Y6rH', 'qbasiWUWy2', 'eI36hLXL6U', 'nug6K8vjfH', 'dZS69EEdEE', 'k1V6lKGDWE', 'pWk6DsBec8', 'Ojq6QGwpj6'
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, Ed6mgvidnb18jusbqYM.csHigh entropy of concatenated method names: 'FGwpv5xNGW', 'cJypyPO8rO', 'WALpIOTwV3', 'LWJpVknyEB', 'ytopw6LDLQ', 'mLLp0UykgD', 'AtwpSmJi87', 'Cnepx8kVWe', 'GWppZuD8vY', 'oqppJriIib'
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, TXTbaGQ0KUAcEUAtid.csHigh entropy of concatenated method names: 'ToString', 'TtHRhpUCln', 'pG3RU9aWwk', 'G6nRawma52', 'c6pRrQdDaa', 'VCtRNfHd9E', 'xvQRLoDLvG', 'oAfREvRsAX', 'yPrRT69IYS', 'FAAROs0UBC'
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, oHURga50K82imqYymd.csHigh entropy of concatenated method names: 'Y9OWAitGvW', 'BtOWGqQgC9', 'hr4WcKImj8', 'YVFWCXCtSh', 'qdJWbokoxF', 'JKLWFJ5Omp', 'UT7WXpSOQB', 'oG8W50ZV6f', 'CijWegWBTr', 'zEuW3bOm9o'
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, WW5xheokSZ8VVQ7D4i.csHigh entropy of concatenated method names: 's0k63lyo9M', 'LQN6m60Rin', 'ToString', 'toH6GKe6Wh', 'TZv6cP2vju', 'z3f6CWU2Qy', 'wny6bIZsRN', 'CPn6FfIp4U', 'nwf6Xe1Os9', 'peZ65PuBsQ'
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, DZ8ZB3BdHeRtLT0553.csHigh entropy of concatenated method names: 'yp1FAwiPds', 'gmHFcUGU58', 'sdkFbcg9t8', 'ogKFX8TAmC', 'IeXF5HpVcp', 'ljvbHsi1m9', 'NBJb2T8PIi', 'Wdtb4c8IZY', 'LU0bMQCZQw', 'rp7b1tUyMi'
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, eep0eurW4XfvJow9uS.csHigh entropy of concatenated method names: 'c4iFfe83g6', 'QRGFvRbTKJ', 'P4eFIGU0fQ', 'MaCFVRcylQ', 'PqcF0JPVdb', 'nftFSVBo4b', 'vk5FZPqWu9', 'lKoFJIC6qr', 'UNQ1pNpAUEdQ3wkmRfm', 'eD6QfLp3AJ6Ow5jJNsU'
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, Xk6pi9CtV2cWLNt0YA.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'q8bu15Fk3w', 'VT3uPhVA7u', 'wxHuz7X647', 'mybWdsr719', 'QQmWisF5rs', 'qh3WuIgWsB', 'ThKWWTEdos', 'vl9qsV5Z5fX68FLsYAB'
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, jOPHPw9WEuBY3DCChO.csHigh entropy of concatenated method names: 'E3KkxAREvr', 'qeikZJ24iS', 'lxYkBaHxe3', 'EPxkUIY348', 'LXDkrcNwpe', 'scwkNPAsRO', 'Ub6kEKKkBS', 'EiEkT6KfG2', 'u2YkgIYcJ8', 'xv1khY6Y97'
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, OTVyyWl5Lo9Aatm1D4.csHigh entropy of concatenated method names: 'K69qgtNZY1', 'knQqKQP4q2', 'kylqlmh7pe', 'iglqDRGCEe', 'Gt9qUGJHrP', 'BI1qah6E2n', 'GkAqrEuUKA', 'iWjqNxa12B', 'XHgqLP9dy5', 'er9qE0hd1X'
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, jg8gKduya513c4c42N.csHigh entropy of concatenated method names: 'OKmIFfqwa', 'VfIV5rOyF', 'yvB0e9iJu', 'xtfSvZeVq', 'WBiZ3Hs6E', 'PG9J7sBLW', 'uSkaQrQrl3e2RtcAiu', 'p01fGAYKGNZY9W9DIi', 'UYjsvrOlH', 'VvaYEds6O'
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, EEXWFIEZeH8bTA0oOc.csHigh entropy of concatenated method names: 'JnbXG5nyxx', 'bYaXCjI879', 'yExXFqlk2w', 'Ol7FPMpMct', 'pRbFzMiLVX', 'JIAXd9POST', 'PdAXiNs5yZ', 'NH2XuXyUuv', 'zBjXWdtZ8s', 'RqnX8DuLw8'
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, wnqWLXMJX3pNWvkjNt.csHigh entropy of concatenated method names: 'QftsG30VQl', 'ChTscnI1Cw', 'oWHsCjqNr8', 'wnmsbPtQgE', 'NZcsFFFTvh', 'iDrsXwfF3o', 'qHps5A8T1E', 'wwpseCyJ3W', 'Gt5s312fOZ', 'tRnsmmrCd3'
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, Q1yxb5cLC9fn5s9rZZ.csHigh entropy of concatenated method names: 'Dispose', 'HO4i1RiFWH', 'AwmuUqiw1b', 'U6snn7CPol', 'M7niPqWLXJ', 'j3pizNWvkj', 'ProcessDialogKey', 'JtkudDXOKo', 'yIbuiNE6rs', 'f63uuuGIP4'
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, kpTloqiW2SE0hI0NgKE.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ExWYl0q9gj', 'FCkYDwZfFd', 'qYTYQbdFlP', 'f20YotXqNi', 'g6vYHQbJhm', 'mF8Y2tBTng', 'zWyY4NWXOo'
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, rA6FNO8JLBoShZm83v.csHigh entropy of concatenated method names: 'A7uiX75OHE', 'PKCi5mLTZp', 'XABi35KCyG', 'ECoimf4w7c', 'edviqXHSZ8', 'EB3iRdHeRt', 'ApaUycuuayBlF8BUuy', 'QS9ZbqDwG0sjUr26FY', 'yPvii9Fy4m', 'y0DiWScJlZ'
            Source: 0.2.RFQ STS3780082024.exe.38c7b28.2.raw.unpack, Vw7c5ZJwx3H6LAdvXH.csHigh entropy of concatenated method names: 'o8ibwFJAQN', 'ptlbSB8eAR', 'r09CaLu6bq', 'SS9CrWA2nI', 'rxECNPXbrb', 'GSsCLndw74', 'cq0CEg7Lej', 'fYPCTlu11B', 'ILyCO0dCla', 'zKrCgiySR9'
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, BwMyEtOMEZLZYAjRrQ.csHigh entropy of concatenated method names: 'QOIXviPese', 'zD7XycAovT', 'MH9XInxAxv', 'pnHXVdKFSE', 'vZ0XwMdeBS', 'oKdX0sim2c', 'gwyXSauUhd', 'ceXXxGjhoU', 'a16XZeLSya', 'g7XXJoXsVp'
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, AocHb1ZAB5KCyGZCof.csHigh entropy of concatenated method names: 'OnQCVliLw1', 'stMC0sX34S', 'qsaCx7RHcR', 'lSxCZkp3Yi', 'rGZCqJv7MP', 'STsCRcNBAR', 'SA6C6ydHO4', 'G1qCsfKqiR', 'a3UCpn58Uj', 'bB1CYa7JCw'
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, b75OHExKKCmLTZp12S.csHigh entropy of concatenated method names: 'nqFclMjCTM', 'An8cD75oqS', 'eavcQN8GhY', 'OJncoPxDb1', 'AbFcH01LPk', 'cK2c2yGQa5', 'YQKc415PaR', 'jLUcMwO5Tc', 'aHfc1w1FYm', 'PrWcP7USly'
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, bGIP4VPhgee4XJbWYW.csHigh entropy of concatenated method names: 'hCWpiOjgtk', 'Jo9pW8SSPK', 'kQ9p8Z71ox', 'AX1pGS9Vqm', 'R0apcBdnFT', 'V3vpbGBxSO', 'OPYpFlm4Bq', 'jeMs4qGKB4', 'y75sMbgast', 'uJns16vRqM'
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, nDXOKo1yIbNE6rsG63.csHigh entropy of concatenated method names: 'ATQsBAEcCs', 'gfesULGWWR', 'vD2sa6mqAR', 'g2nsrVh99B', 'radslXh4MW', 'nEUsNgW7xp', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, ECXidh2Ok4EYkVxfJM.csHigh entropy of concatenated method names: 'mVG6MeMqa1', 'wS36PHsUuM', 'XHmsd5Y6rH', 'qbasiWUWy2', 'eI36hLXL6U', 'nug6K8vjfH', 'dZS69EEdEE', 'k1V6lKGDWE', 'pWk6DsBec8', 'Ojq6QGwpj6'
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, Ed6mgvidnb18jusbqYM.csHigh entropy of concatenated method names: 'FGwpv5xNGW', 'cJypyPO8rO', 'WALpIOTwV3', 'LWJpVknyEB', 'ytopw6LDLQ', 'mLLp0UykgD', 'AtwpSmJi87', 'Cnepx8kVWe', 'GWppZuD8vY', 'oqppJriIib'
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, TXTbaGQ0KUAcEUAtid.csHigh entropy of concatenated method names: 'ToString', 'TtHRhpUCln', 'pG3RU9aWwk', 'G6nRawma52', 'c6pRrQdDaa', 'VCtRNfHd9E', 'xvQRLoDLvG', 'oAfREvRsAX', 'yPrRT69IYS', 'FAAROs0UBC'
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, oHURga50K82imqYymd.csHigh entropy of concatenated method names: 'Y9OWAitGvW', 'BtOWGqQgC9', 'hr4WcKImj8', 'YVFWCXCtSh', 'qdJWbokoxF', 'JKLWFJ5Omp', 'UT7WXpSOQB', 'oG8W50ZV6f', 'CijWegWBTr', 'zEuW3bOm9o'
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, WW5xheokSZ8VVQ7D4i.csHigh entropy of concatenated method names: 's0k63lyo9M', 'LQN6m60Rin', 'ToString', 'toH6GKe6Wh', 'TZv6cP2vju', 'z3f6CWU2Qy', 'wny6bIZsRN', 'CPn6FfIp4U', 'nwf6Xe1Os9', 'peZ65PuBsQ'
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, DZ8ZB3BdHeRtLT0553.csHigh entropy of concatenated method names: 'yp1FAwiPds', 'gmHFcUGU58', 'sdkFbcg9t8', 'ogKFX8TAmC', 'IeXF5HpVcp', 'ljvbHsi1m9', 'NBJb2T8PIi', 'Wdtb4c8IZY', 'LU0bMQCZQw', 'rp7b1tUyMi'
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, eep0eurW4XfvJow9uS.csHigh entropy of concatenated method names: 'c4iFfe83g6', 'QRGFvRbTKJ', 'P4eFIGU0fQ', 'MaCFVRcylQ', 'PqcF0JPVdb', 'nftFSVBo4b', 'vk5FZPqWu9', 'lKoFJIC6qr', 'UNQ1pNpAUEdQ3wkmRfm', 'eD6QfLp3AJ6Ow5jJNsU'
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, Xk6pi9CtV2cWLNt0YA.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'q8bu15Fk3w', 'VT3uPhVA7u', 'wxHuz7X647', 'mybWdsr719', 'QQmWisF5rs', 'qh3WuIgWsB', 'ThKWWTEdos', 'vl9qsV5Z5fX68FLsYAB'
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, jOPHPw9WEuBY3DCChO.csHigh entropy of concatenated method names: 'E3KkxAREvr', 'qeikZJ24iS', 'lxYkBaHxe3', 'EPxkUIY348', 'LXDkrcNwpe', 'scwkNPAsRO', 'Ub6kEKKkBS', 'EiEkT6KfG2', 'u2YkgIYcJ8', 'xv1khY6Y97'
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, OTVyyWl5Lo9Aatm1D4.csHigh entropy of concatenated method names: 'K69qgtNZY1', 'knQqKQP4q2', 'kylqlmh7pe', 'iglqDRGCEe', 'Gt9qUGJHrP', 'BI1qah6E2n', 'GkAqrEuUKA', 'iWjqNxa12B', 'XHgqLP9dy5', 'er9qE0hd1X'
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, jg8gKduya513c4c42N.csHigh entropy of concatenated method names: 'OKmIFfqwa', 'VfIV5rOyF', 'yvB0e9iJu', 'xtfSvZeVq', 'WBiZ3Hs6E', 'PG9J7sBLW', 'uSkaQrQrl3e2RtcAiu', 'p01fGAYKGNZY9W9DIi', 'UYjsvrOlH', 'VvaYEds6O'
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, EEXWFIEZeH8bTA0oOc.csHigh entropy of concatenated method names: 'JnbXG5nyxx', 'bYaXCjI879', 'yExXFqlk2w', 'Ol7FPMpMct', 'pRbFzMiLVX', 'JIAXd9POST', 'PdAXiNs5yZ', 'NH2XuXyUuv', 'zBjXWdtZ8s', 'RqnX8DuLw8'
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, wnqWLXMJX3pNWvkjNt.csHigh entropy of concatenated method names: 'QftsG30VQl', 'ChTscnI1Cw', 'oWHsCjqNr8', 'wnmsbPtQgE', 'NZcsFFFTvh', 'iDrsXwfF3o', 'qHps5A8T1E', 'wwpseCyJ3W', 'Gt5s312fOZ', 'tRnsmmrCd3'
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, Q1yxb5cLC9fn5s9rZZ.csHigh entropy of concatenated method names: 'Dispose', 'HO4i1RiFWH', 'AwmuUqiw1b', 'U6snn7CPol', 'M7niPqWLXJ', 'j3pizNWvkj', 'ProcessDialogKey', 'JtkudDXOKo', 'yIbuiNE6rs', 'f63uuuGIP4'
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, kpTloqiW2SE0hI0NgKE.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ExWYl0q9gj', 'FCkYDwZfFd', 'qYTYQbdFlP', 'f20YotXqNi', 'g6vYHQbJhm', 'mF8Y2tBTng', 'zWyY4NWXOo'
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, rA6FNO8JLBoShZm83v.csHigh entropy of concatenated method names: 'A7uiX75OHE', 'PKCi5mLTZp', 'XABi35KCyG', 'ECoimf4w7c', 'edviqXHSZ8', 'EB3iRdHeRt', 'ApaUycuuayBlF8BUuy', 'QS9ZbqDwG0sjUr26FY', 'yPvii9Fy4m', 'y0DiWScJlZ'
            Source: 0.2.RFQ STS3780082024.exe.3a69fb0.0.raw.unpack, Vw7c5ZJwx3H6LAdvXH.csHigh entropy of concatenated method names: 'o8ibwFJAQN', 'ptlbSB8eAR', 'r09CaLu6bq', 'SS9CrWA2nI', 'rxECNPXbrb', 'GSsCLndw74', 'cq0CEg7Lej', 'fYPCTlu11B', 'ILyCO0dCla', 'zKrCgiySR9'
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, BwMyEtOMEZLZYAjRrQ.csHigh entropy of concatenated method names: 'QOIXviPese', 'zD7XycAovT', 'MH9XInxAxv', 'pnHXVdKFSE', 'vZ0XwMdeBS', 'oKdX0sim2c', 'gwyXSauUhd', 'ceXXxGjhoU', 'a16XZeLSya', 'g7XXJoXsVp'
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, AocHb1ZAB5KCyGZCof.csHigh entropy of concatenated method names: 'OnQCVliLw1', 'stMC0sX34S', 'qsaCx7RHcR', 'lSxCZkp3Yi', 'rGZCqJv7MP', 'STsCRcNBAR', 'SA6C6ydHO4', 'G1qCsfKqiR', 'a3UCpn58Uj', 'bB1CYa7JCw'
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, b75OHExKKCmLTZp12S.csHigh entropy of concatenated method names: 'nqFclMjCTM', 'An8cD75oqS', 'eavcQN8GhY', 'OJncoPxDb1', 'AbFcH01LPk', 'cK2c2yGQa5', 'YQKc415PaR', 'jLUcMwO5Tc', 'aHfc1w1FYm', 'PrWcP7USly'
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, bGIP4VPhgee4XJbWYW.csHigh entropy of concatenated method names: 'hCWpiOjgtk', 'Jo9pW8SSPK', 'kQ9p8Z71ox', 'AX1pGS9Vqm', 'R0apcBdnFT', 'V3vpbGBxSO', 'OPYpFlm4Bq', 'jeMs4qGKB4', 'y75sMbgast', 'uJns16vRqM'
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, nDXOKo1yIbNE6rsG63.csHigh entropy of concatenated method names: 'ATQsBAEcCs', 'gfesULGWWR', 'vD2sa6mqAR', 'g2nsrVh99B', 'radslXh4MW', 'nEUsNgW7xp', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, ECXidh2Ok4EYkVxfJM.csHigh entropy of concatenated method names: 'mVG6MeMqa1', 'wS36PHsUuM', 'XHmsd5Y6rH', 'qbasiWUWy2', 'eI36hLXL6U', 'nug6K8vjfH', 'dZS69EEdEE', 'k1V6lKGDWE', 'pWk6DsBec8', 'Ojq6QGwpj6'
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, Ed6mgvidnb18jusbqYM.csHigh entropy of concatenated method names: 'FGwpv5xNGW', 'cJypyPO8rO', 'WALpIOTwV3', 'LWJpVknyEB', 'ytopw6LDLQ', 'mLLp0UykgD', 'AtwpSmJi87', 'Cnepx8kVWe', 'GWppZuD8vY', 'oqppJriIib'
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, TXTbaGQ0KUAcEUAtid.csHigh entropy of concatenated method names: 'ToString', 'TtHRhpUCln', 'pG3RU9aWwk', 'G6nRawma52', 'c6pRrQdDaa', 'VCtRNfHd9E', 'xvQRLoDLvG', 'oAfREvRsAX', 'yPrRT69IYS', 'FAAROs0UBC'
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, oHURga50K82imqYymd.csHigh entropy of concatenated method names: 'Y9OWAitGvW', 'BtOWGqQgC9', 'hr4WcKImj8', 'YVFWCXCtSh', 'qdJWbokoxF', 'JKLWFJ5Omp', 'UT7WXpSOQB', 'oG8W50ZV6f', 'CijWegWBTr', 'zEuW3bOm9o'
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, WW5xheokSZ8VVQ7D4i.csHigh entropy of concatenated method names: 's0k63lyo9M', 'LQN6m60Rin', 'ToString', 'toH6GKe6Wh', 'TZv6cP2vju', 'z3f6CWU2Qy', 'wny6bIZsRN', 'CPn6FfIp4U', 'nwf6Xe1Os9', 'peZ65PuBsQ'
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, DZ8ZB3BdHeRtLT0553.csHigh entropy of concatenated method names: 'yp1FAwiPds', 'gmHFcUGU58', 'sdkFbcg9t8', 'ogKFX8TAmC', 'IeXF5HpVcp', 'ljvbHsi1m9', 'NBJb2T8PIi', 'Wdtb4c8IZY', 'LU0bMQCZQw', 'rp7b1tUyMi'
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, eep0eurW4XfvJow9uS.csHigh entropy of concatenated method names: 'c4iFfe83g6', 'QRGFvRbTKJ', 'P4eFIGU0fQ', 'MaCFVRcylQ', 'PqcF0JPVdb', 'nftFSVBo4b', 'vk5FZPqWu9', 'lKoFJIC6qr', 'UNQ1pNpAUEdQ3wkmRfm', 'eD6QfLp3AJ6Ow5jJNsU'
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, Xk6pi9CtV2cWLNt0YA.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'q8bu15Fk3w', 'VT3uPhVA7u', 'wxHuz7X647', 'mybWdsr719', 'QQmWisF5rs', 'qh3WuIgWsB', 'ThKWWTEdos', 'vl9qsV5Z5fX68FLsYAB'
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, jOPHPw9WEuBY3DCChO.csHigh entropy of concatenated method names: 'E3KkxAREvr', 'qeikZJ24iS', 'lxYkBaHxe3', 'EPxkUIY348', 'LXDkrcNwpe', 'scwkNPAsRO', 'Ub6kEKKkBS', 'EiEkT6KfG2', 'u2YkgIYcJ8', 'xv1khY6Y97'
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, OTVyyWl5Lo9Aatm1D4.csHigh entropy of concatenated method names: 'K69qgtNZY1', 'knQqKQP4q2', 'kylqlmh7pe', 'iglqDRGCEe', 'Gt9qUGJHrP', 'BI1qah6E2n', 'GkAqrEuUKA', 'iWjqNxa12B', 'XHgqLP9dy5', 'er9qE0hd1X'
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, jg8gKduya513c4c42N.csHigh entropy of concatenated method names: 'OKmIFfqwa', 'VfIV5rOyF', 'yvB0e9iJu', 'xtfSvZeVq', 'WBiZ3Hs6E', 'PG9J7sBLW', 'uSkaQrQrl3e2RtcAiu', 'p01fGAYKGNZY9W9DIi', 'UYjsvrOlH', 'VvaYEds6O'
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, EEXWFIEZeH8bTA0oOc.csHigh entropy of concatenated method names: 'JnbXG5nyxx', 'bYaXCjI879', 'yExXFqlk2w', 'Ol7FPMpMct', 'pRbFzMiLVX', 'JIAXd9POST', 'PdAXiNs5yZ', 'NH2XuXyUuv', 'zBjXWdtZ8s', 'RqnX8DuLw8'
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, wnqWLXMJX3pNWvkjNt.csHigh entropy of concatenated method names: 'QftsG30VQl', 'ChTscnI1Cw', 'oWHsCjqNr8', 'wnmsbPtQgE', 'NZcsFFFTvh', 'iDrsXwfF3o', 'qHps5A8T1E', 'wwpseCyJ3W', 'Gt5s312fOZ', 'tRnsmmrCd3'
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, Q1yxb5cLC9fn5s9rZZ.csHigh entropy of concatenated method names: 'Dispose', 'HO4i1RiFWH', 'AwmuUqiw1b', 'U6snn7CPol', 'M7niPqWLXJ', 'j3pizNWvkj', 'ProcessDialogKey', 'JtkudDXOKo', 'yIbuiNE6rs', 'f63uuuGIP4'
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, kpTloqiW2SE0hI0NgKE.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ExWYl0q9gj', 'FCkYDwZfFd', 'qYTYQbdFlP', 'f20YotXqNi', 'g6vYHQbJhm', 'mF8Y2tBTng', 'zWyY4NWXOo'
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, rA6FNO8JLBoShZm83v.csHigh entropy of concatenated method names: 'A7uiX75OHE', 'PKCi5mLTZp', 'XABi35KCyG', 'ECoimf4w7c', 'edviqXHSZ8', 'EB3iRdHeRt', 'ApaUycuuayBlF8BUuy', 'QS9ZbqDwG0sjUr26FY', 'yPvii9Fy4m', 'y0DiWScJlZ'
            Source: 0.2.RFQ STS3780082024.exe.6e80000.4.raw.unpack, Vw7c5ZJwx3H6LAdvXH.csHigh entropy of concatenated method names: 'o8ibwFJAQN', 'ptlbSB8eAR', 'r09CaLu6bq', 'SS9CrWA2nI', 'rxECNPXbrb', 'GSsCLndw74', 'cq0CEg7Lej', 'fYPCTlu11B', 'ILyCO0dCla', 'zKrCgiySR9'

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: RFQ STS3780082024.exe PID: 7316, type: MEMORYSTR
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeMemory allocated: 27B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeMemory allocated: 27F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeMemory allocated: 47F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeMemory allocated: 76A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeMemory allocated: 7080000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeMemory allocated: 86A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeMemory allocated: 96A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0123096E rdtsc 5_2_0123096E
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6196Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2581Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI coverage: 0.6 %
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exe TID: 7336Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7640Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7628Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7536Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: RFQ STS3780082024.exe, 00000000.00000002.1696339255.0000000000A02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}<
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0123096E rdtsc 5_2_0123096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00417283 LdrLoadDll,5_2_00417283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01220124 mov eax, dword ptr fs:[00000030h]5_2_01220124
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129E10E mov eax, dword ptr fs:[00000030h]5_2_0129E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129E10E mov ecx, dword ptr fs:[00000030h]5_2_0129E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129E10E mov eax, dword ptr fs:[00000030h]5_2_0129E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129E10E mov eax, dword ptr fs:[00000030h]5_2_0129E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129E10E mov ecx, dword ptr fs:[00000030h]5_2_0129E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129E10E mov eax, dword ptr fs:[00000030h]5_2_0129E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129E10E mov eax, dword ptr fs:[00000030h]5_2_0129E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129E10E mov ecx, dword ptr fs:[00000030h]5_2_0129E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129E10E mov eax, dword ptr fs:[00000030h]5_2_0129E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129E10E mov ecx, dword ptr fs:[00000030h]5_2_0129E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129A118 mov ecx, dword ptr fs:[00000030h]5_2_0129A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129A118 mov eax, dword ptr fs:[00000030h]5_2_0129A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129A118 mov eax, dword ptr fs:[00000030h]5_2_0129A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129A118 mov eax, dword ptr fs:[00000030h]5_2_0129A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012B0115 mov eax, dword ptr fs:[00000030h]5_2_012B0115
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011EC156 mov eax, dword ptr fs:[00000030h]5_2_011EC156
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C4164 mov eax, dword ptr fs:[00000030h]5_2_012C4164
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C4164 mov eax, dword ptr fs:[00000030h]5_2_012C4164
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F6154 mov eax, dword ptr fs:[00000030h]5_2_011F6154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F6154 mov eax, dword ptr fs:[00000030h]5_2_011F6154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01284144 mov eax, dword ptr fs:[00000030h]5_2_01284144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01284144 mov eax, dword ptr fs:[00000030h]5_2_01284144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01284144 mov ecx, dword ptr fs:[00000030h]5_2_01284144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01284144 mov eax, dword ptr fs:[00000030h]5_2_01284144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01284144 mov eax, dword ptr fs:[00000030h]5_2_01284144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01288158 mov eax, dword ptr fs:[00000030h]5_2_01288158
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011EA197 mov eax, dword ptr fs:[00000030h]5_2_011EA197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011EA197 mov eax, dword ptr fs:[00000030h]5_2_011EA197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011EA197 mov eax, dword ptr fs:[00000030h]5_2_011EA197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012AC188 mov eax, dword ptr fs:[00000030h]5_2_012AC188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012AC188 mov eax, dword ptr fs:[00000030h]5_2_012AC188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01230185 mov eax, dword ptr fs:[00000030h]5_2_01230185
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01294180 mov eax, dword ptr fs:[00000030h]5_2_01294180
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01294180 mov eax, dword ptr fs:[00000030h]5_2_01294180
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127019F mov eax, dword ptr fs:[00000030h]5_2_0127019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127019F mov eax, dword ptr fs:[00000030h]5_2_0127019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127019F mov eax, dword ptr fs:[00000030h]5_2_0127019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127019F mov eax, dword ptr fs:[00000030h]5_2_0127019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C61E5 mov eax, dword ptr fs:[00000030h]5_2_012C61E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012201F8 mov eax, dword ptr fs:[00000030h]5_2_012201F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012B61C3 mov eax, dword ptr fs:[00000030h]5_2_012B61C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012B61C3 mov eax, dword ptr fs:[00000030h]5_2_012B61C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126E1D0 mov eax, dword ptr fs:[00000030h]5_2_0126E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126E1D0 mov eax, dword ptr fs:[00000030h]5_2_0126E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126E1D0 mov ecx, dword ptr fs:[00000030h]5_2_0126E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126E1D0 mov eax, dword ptr fs:[00000030h]5_2_0126E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126E1D0 mov eax, dword ptr fs:[00000030h]5_2_0126E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01286030 mov eax, dword ptr fs:[00000030h]5_2_01286030
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01274000 mov ecx, dword ptr fs:[00000030h]5_2_01274000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]5_2_01292000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]5_2_01292000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]5_2_01292000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]5_2_01292000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]5_2_01292000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]5_2_01292000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]5_2_01292000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01292000 mov eax, dword ptr fs:[00000030h]5_2_01292000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0120E016 mov eax, dword ptr fs:[00000030h]5_2_0120E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0120E016 mov eax, dword ptr fs:[00000030h]5_2_0120E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0120E016 mov eax, dword ptr fs:[00000030h]5_2_0120E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0120E016 mov eax, dword ptr fs:[00000030h]5_2_0120E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011EA020 mov eax, dword ptr fs:[00000030h]5_2_011EA020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011EC020 mov eax, dword ptr fs:[00000030h]5_2_011EC020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F2050 mov eax, dword ptr fs:[00000030h]5_2_011F2050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121C073 mov eax, dword ptr fs:[00000030h]5_2_0121C073
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01276050 mov eax, dword ptr fs:[00000030h]5_2_01276050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012880A8 mov eax, dword ptr fs:[00000030h]5_2_012880A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012B60B8 mov eax, dword ptr fs:[00000030h]5_2_012B60B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012B60B8 mov ecx, dword ptr fs:[00000030h]5_2_012B60B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F208A mov eax, dword ptr fs:[00000030h]5_2_011F208A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E80A0 mov eax, dword ptr fs:[00000030h]5_2_011E80A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012760E0 mov eax, dword ptr fs:[00000030h]5_2_012760E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012320F0 mov ecx, dword ptr fs:[00000030h]5_2_012320F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011EC0F0 mov eax, dword ptr fs:[00000030h]5_2_011EC0F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F80E9 mov eax, dword ptr fs:[00000030h]5_2_011F80E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012720DE mov eax, dword ptr fs:[00000030h]5_2_012720DE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011EA0E3 mov ecx, dword ptr fs:[00000030h]5_2_011EA0E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C8324 mov eax, dword ptr fs:[00000030h]5_2_012C8324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C8324 mov ecx, dword ptr fs:[00000030h]5_2_012C8324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C8324 mov eax, dword ptr fs:[00000030h]5_2_012C8324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C8324 mov eax, dword ptr fs:[00000030h]5_2_012C8324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011EC310 mov ecx, dword ptr fs:[00000030h]5_2_011EC310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122A30B mov eax, dword ptr fs:[00000030h]5_2_0122A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122A30B mov eax, dword ptr fs:[00000030h]5_2_0122A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122A30B mov eax, dword ptr fs:[00000030h]5_2_0122A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01210310 mov ecx, dword ptr fs:[00000030h]5_2_01210310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129437C mov eax, dword ptr fs:[00000030h]5_2_0129437C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C634F mov eax, dword ptr fs:[00000030h]5_2_012C634F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]5_2_01272349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]5_2_01272349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]5_2_01272349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]5_2_01272349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]5_2_01272349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]5_2_01272349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]5_2_01272349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]5_2_01272349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]5_2_01272349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]5_2_01272349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]5_2_01272349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]5_2_01272349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]5_2_01272349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]5_2_01272349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01272349 mov eax, dword ptr fs:[00000030h]5_2_01272349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012BA352 mov eax, dword ptr fs:[00000030h]5_2_012BA352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01298350 mov ecx, dword ptr fs:[00000030h]5_2_01298350
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127035C mov eax, dword ptr fs:[00000030h]5_2_0127035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127035C mov eax, dword ptr fs:[00000030h]5_2_0127035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127035C mov eax, dword ptr fs:[00000030h]5_2_0127035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127035C mov ecx, dword ptr fs:[00000030h]5_2_0127035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127035C mov eax, dword ptr fs:[00000030h]5_2_0127035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127035C mov eax, dword ptr fs:[00000030h]5_2_0127035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E8397 mov eax, dword ptr fs:[00000030h]5_2_011E8397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E8397 mov eax, dword ptr fs:[00000030h]5_2_011E8397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E8397 mov eax, dword ptr fs:[00000030h]5_2_011E8397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011EE388 mov eax, dword ptr fs:[00000030h]5_2_011EE388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011EE388 mov eax, dword ptr fs:[00000030h]5_2_011EE388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011EE388 mov eax, dword ptr fs:[00000030h]5_2_011EE388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121438F mov eax, dword ptr fs:[00000030h]5_2_0121438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121438F mov eax, dword ptr fs:[00000030h]5_2_0121438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]5_2_012003E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]5_2_012003E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]5_2_012003E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]5_2_012003E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]5_2_012003E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]5_2_012003E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]5_2_012003E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012003E9 mov eax, dword ptr fs:[00000030h]5_2_012003E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0120E3F0 mov eax, dword ptr fs:[00000030h]5_2_0120E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0120E3F0 mov eax, dword ptr fs:[00000030h]5_2_0120E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0120E3F0 mov eax, dword ptr fs:[00000030h]5_2_0120E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012263FF mov eax, dword ptr fs:[00000030h]5_2_012263FF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F83C0 mov eax, dword ptr fs:[00000030h]5_2_011F83C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F83C0 mov eax, dword ptr fs:[00000030h]5_2_011F83C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F83C0 mov eax, dword ptr fs:[00000030h]5_2_011F83C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F83C0 mov eax, dword ptr fs:[00000030h]5_2_011F83C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FA3C0 mov eax, dword ptr fs:[00000030h]5_2_011FA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FA3C0 mov eax, dword ptr fs:[00000030h]5_2_011FA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FA3C0 mov eax, dword ptr fs:[00000030h]5_2_011FA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FA3C0 mov eax, dword ptr fs:[00000030h]5_2_011FA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FA3C0 mov eax, dword ptr fs:[00000030h]5_2_011FA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FA3C0 mov eax, dword ptr fs:[00000030h]5_2_011FA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012AC3CD mov eax, dword ptr fs:[00000030h]5_2_012AC3CD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012763C0 mov eax, dword ptr fs:[00000030h]5_2_012763C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129E3DB mov eax, dword ptr fs:[00000030h]5_2_0129E3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129E3DB mov eax, dword ptr fs:[00000030h]5_2_0129E3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129E3DB mov ecx, dword ptr fs:[00000030h]5_2_0129E3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129E3DB mov eax, dword ptr fs:[00000030h]5_2_0129E3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012943D4 mov eax, dword ptr fs:[00000030h]5_2_012943D4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012943D4 mov eax, dword ptr fs:[00000030h]5_2_012943D4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E823B mov eax, dword ptr fs:[00000030h]5_2_011E823B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F6259 mov eax, dword ptr fs:[00000030h]5_2_011F6259
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011EA250 mov eax, dword ptr fs:[00000030h]5_2_011EA250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]5_2_012A0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]5_2_012A0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]5_2_012A0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]5_2_012A0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]5_2_012A0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]5_2_012A0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]5_2_012A0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]5_2_012A0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]5_2_012A0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]5_2_012A0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]5_2_012A0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012A0274 mov eax, dword ptr fs:[00000030h]5_2_012A0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01278243 mov eax, dword ptr fs:[00000030h]5_2_01278243
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01278243 mov ecx, dword ptr fs:[00000030h]5_2_01278243
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C625D mov eax, dword ptr fs:[00000030h]5_2_012C625D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E826B mov eax, dword ptr fs:[00000030h]5_2_011E826B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012AA250 mov eax, dword ptr fs:[00000030h]5_2_012AA250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012AA250 mov eax, dword ptr fs:[00000030h]5_2_012AA250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F4260 mov eax, dword ptr fs:[00000030h]5_2_011F4260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F4260 mov eax, dword ptr fs:[00000030h]5_2_011F4260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F4260 mov eax, dword ptr fs:[00000030h]5_2_011F4260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012002A0 mov eax, dword ptr fs:[00000030h]5_2_012002A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012002A0 mov eax, dword ptr fs:[00000030h]5_2_012002A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012862A0 mov eax, dword ptr fs:[00000030h]5_2_012862A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012862A0 mov ecx, dword ptr fs:[00000030h]5_2_012862A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012862A0 mov eax, dword ptr fs:[00000030h]5_2_012862A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012862A0 mov eax, dword ptr fs:[00000030h]5_2_012862A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012862A0 mov eax, dword ptr fs:[00000030h]5_2_012862A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012862A0 mov eax, dword ptr fs:[00000030h]5_2_012862A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01270283 mov eax, dword ptr fs:[00000030h]5_2_01270283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01270283 mov eax, dword ptr fs:[00000030h]5_2_01270283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01270283 mov eax, dword ptr fs:[00000030h]5_2_01270283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122E284 mov eax, dword ptr fs:[00000030h]5_2_0122E284
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122E284 mov eax, dword ptr fs:[00000030h]5_2_0122E284
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012002E1 mov eax, dword ptr fs:[00000030h]5_2_012002E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012002E1 mov eax, dword ptr fs:[00000030h]5_2_012002E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012002E1 mov eax, dword ptr fs:[00000030h]5_2_012002E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FA2C3 mov eax, dword ptr fs:[00000030h]5_2_011FA2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FA2C3 mov eax, dword ptr fs:[00000030h]5_2_011FA2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FA2C3 mov eax, dword ptr fs:[00000030h]5_2_011FA2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FA2C3 mov eax, dword ptr fs:[00000030h]5_2_011FA2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FA2C3 mov eax, dword ptr fs:[00000030h]5_2_011FA2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C62D6 mov eax, dword ptr fs:[00000030h]5_2_012C62D6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200535 mov eax, dword ptr fs:[00000030h]5_2_01200535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200535 mov eax, dword ptr fs:[00000030h]5_2_01200535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200535 mov eax, dword ptr fs:[00000030h]5_2_01200535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200535 mov eax, dword ptr fs:[00000030h]5_2_01200535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200535 mov eax, dword ptr fs:[00000030h]5_2_01200535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200535 mov eax, dword ptr fs:[00000030h]5_2_01200535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121E53E mov eax, dword ptr fs:[00000030h]5_2_0121E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121E53E mov eax, dword ptr fs:[00000030h]5_2_0121E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121E53E mov eax, dword ptr fs:[00000030h]5_2_0121E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121E53E mov eax, dword ptr fs:[00000030h]5_2_0121E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121E53E mov eax, dword ptr fs:[00000030h]5_2_0121E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01286500 mov eax, dword ptr fs:[00000030h]5_2_01286500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C4500 mov eax, dword ptr fs:[00000030h]5_2_012C4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C4500 mov eax, dword ptr fs:[00000030h]5_2_012C4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C4500 mov eax, dword ptr fs:[00000030h]5_2_012C4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C4500 mov eax, dword ptr fs:[00000030h]5_2_012C4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C4500 mov eax, dword ptr fs:[00000030h]5_2_012C4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C4500 mov eax, dword ptr fs:[00000030h]5_2_012C4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C4500 mov eax, dword ptr fs:[00000030h]5_2_012C4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122656A mov eax, dword ptr fs:[00000030h]5_2_0122656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122656A mov eax, dword ptr fs:[00000030h]5_2_0122656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122656A mov eax, dword ptr fs:[00000030h]5_2_0122656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F8550 mov eax, dword ptr fs:[00000030h]5_2_011F8550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F8550 mov eax, dword ptr fs:[00000030h]5_2_011F8550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012705A7 mov eax, dword ptr fs:[00000030h]5_2_012705A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012705A7 mov eax, dword ptr fs:[00000030h]5_2_012705A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012705A7 mov eax, dword ptr fs:[00000030h]5_2_012705A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012145B1 mov eax, dword ptr fs:[00000030h]5_2_012145B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012145B1 mov eax, dword ptr fs:[00000030h]5_2_012145B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F2582 mov eax, dword ptr fs:[00000030h]5_2_011F2582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F2582 mov ecx, dword ptr fs:[00000030h]5_2_011F2582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01224588 mov eax, dword ptr fs:[00000030h]5_2_01224588
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122E59C mov eax, dword ptr fs:[00000030h]5_2_0122E59C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]5_2_0121E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]5_2_0121E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]5_2_0121E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]5_2_0121E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]5_2_0121E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]5_2_0121E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]5_2_0121E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121E5E7 mov eax, dword ptr fs:[00000030h]5_2_0121E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F65D0 mov eax, dword ptr fs:[00000030h]5_2_011F65D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122C5ED mov eax, dword ptr fs:[00000030h]5_2_0122C5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122C5ED mov eax, dword ptr fs:[00000030h]5_2_0122C5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122E5CF mov eax, dword ptr fs:[00000030h]5_2_0122E5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122E5CF mov eax, dword ptr fs:[00000030h]5_2_0122E5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122A5D0 mov eax, dword ptr fs:[00000030h]5_2_0122A5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122A5D0 mov eax, dword ptr fs:[00000030h]5_2_0122A5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F25E0 mov eax, dword ptr fs:[00000030h]5_2_011F25E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01276420 mov eax, dword ptr fs:[00000030h]5_2_01276420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01276420 mov eax, dword ptr fs:[00000030h]5_2_01276420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01276420 mov eax, dword ptr fs:[00000030h]5_2_01276420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01276420 mov eax, dword ptr fs:[00000030h]5_2_01276420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01276420 mov eax, dword ptr fs:[00000030h]5_2_01276420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01276420 mov eax, dword ptr fs:[00000030h]5_2_01276420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01276420 mov eax, dword ptr fs:[00000030h]5_2_01276420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122A430 mov eax, dword ptr fs:[00000030h]5_2_0122A430
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01228402 mov eax, dword ptr fs:[00000030h]5_2_01228402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01228402 mov eax, dword ptr fs:[00000030h]5_2_01228402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01228402 mov eax, dword ptr fs:[00000030h]5_2_01228402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011EC427 mov eax, dword ptr fs:[00000030h]5_2_011EC427
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011EE420 mov eax, dword ptr fs:[00000030h]5_2_011EE420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011EE420 mov eax, dword ptr fs:[00000030h]5_2_011EE420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011EE420 mov eax, dword ptr fs:[00000030h]5_2_011EE420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E645D mov eax, dword ptr fs:[00000030h]5_2_011E645D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127C460 mov ecx, dword ptr fs:[00000030h]5_2_0127C460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121A470 mov eax, dword ptr fs:[00000030h]5_2_0121A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121A470 mov eax, dword ptr fs:[00000030h]5_2_0121A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121A470 mov eax, dword ptr fs:[00000030h]5_2_0121A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]5_2_0122E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]5_2_0122E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]5_2_0122E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]5_2_0122E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]5_2_0122E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]5_2_0122E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]5_2_0122E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122E443 mov eax, dword ptr fs:[00000030h]5_2_0122E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121245A mov eax, dword ptr fs:[00000030h]5_2_0121245A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012AA456 mov eax, dword ptr fs:[00000030h]5_2_012AA456
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012244B0 mov ecx, dword ptr fs:[00000030h]5_2_012244B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127A4B0 mov eax, dword ptr fs:[00000030h]5_2_0127A4B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012AA49A mov eax, dword ptr fs:[00000030h]5_2_012AA49A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F64AB mov eax, dword ptr fs:[00000030h]5_2_011F64AB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F04E5 mov ecx, dword ptr fs:[00000030h]5_2_011F04E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122C720 mov eax, dword ptr fs:[00000030h]5_2_0122C720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122C720 mov eax, dword ptr fs:[00000030h]5_2_0122C720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F0710 mov eax, dword ptr fs:[00000030h]5_2_011F0710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126C730 mov eax, dword ptr fs:[00000030h]5_2_0126C730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122273C mov eax, dword ptr fs:[00000030h]5_2_0122273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122273C mov ecx, dword ptr fs:[00000030h]5_2_0122273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122273C mov eax, dword ptr fs:[00000030h]5_2_0122273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122C700 mov eax, dword ptr fs:[00000030h]5_2_0122C700
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01220710 mov eax, dword ptr fs:[00000030h]5_2_01220710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F0750 mov eax, dword ptr fs:[00000030h]5_2_011F0750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]5_2_01200770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]5_2_01200770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]5_2_01200770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]5_2_01200770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]5_2_01200770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]5_2_01200770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]5_2_01200770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]5_2_01200770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]5_2_01200770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]5_2_01200770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]5_2_01200770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200770 mov eax, dword ptr fs:[00000030h]5_2_01200770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F8770 mov eax, dword ptr fs:[00000030h]5_2_011F8770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122674D mov esi, dword ptr fs:[00000030h]5_2_0122674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122674D mov eax, dword ptr fs:[00000030h]5_2_0122674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122674D mov eax, dword ptr fs:[00000030h]5_2_0122674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01274755 mov eax, dword ptr fs:[00000030h]5_2_01274755
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232750 mov eax, dword ptr fs:[00000030h]5_2_01232750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232750 mov eax, dword ptr fs:[00000030h]5_2_01232750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127E75D mov eax, dword ptr fs:[00000030h]5_2_0127E75D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012A47A0 mov eax, dword ptr fs:[00000030h]5_2_012A47A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129678E mov eax, dword ptr fs:[00000030h]5_2_0129678E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F07AF mov eax, dword ptr fs:[00000030h]5_2_011F07AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127E7E1 mov eax, dword ptr fs:[00000030h]5_2_0127E7E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012127ED mov eax, dword ptr fs:[00000030h]5_2_012127ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012127ED mov eax, dword ptr fs:[00000030h]5_2_012127ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012127ED mov eax, dword ptr fs:[00000030h]5_2_012127ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FC7C0 mov eax, dword ptr fs:[00000030h]5_2_011FC7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F47FB mov eax, dword ptr fs:[00000030h]5_2_011F47FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F47FB mov eax, dword ptr fs:[00000030h]5_2_011F47FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012707C3 mov eax, dword ptr fs:[00000030h]5_2_012707C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01226620 mov eax, dword ptr fs:[00000030h]5_2_01226620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01228620 mov eax, dword ptr fs:[00000030h]5_2_01228620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0120E627 mov eax, dword ptr fs:[00000030h]5_2_0120E627
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0120260B mov eax, dword ptr fs:[00000030h]5_2_0120260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0120260B mov eax, dword ptr fs:[00000030h]5_2_0120260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0120260B mov eax, dword ptr fs:[00000030h]5_2_0120260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0120260B mov eax, dword ptr fs:[00000030h]5_2_0120260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0120260B mov eax, dword ptr fs:[00000030h]5_2_0120260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0120260B mov eax, dword ptr fs:[00000030h]5_2_0120260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0120260B mov eax, dword ptr fs:[00000030h]5_2_0120260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126E609 mov eax, dword ptr fs:[00000030h]5_2_0126E609
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F262C mov eax, dword ptr fs:[00000030h]5_2_011F262C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01232619 mov eax, dword ptr fs:[00000030h]5_2_01232619
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122A660 mov eax, dword ptr fs:[00000030h]5_2_0122A660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122A660 mov eax, dword ptr fs:[00000030h]5_2_0122A660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012B866E mov eax, dword ptr fs:[00000030h]5_2_012B866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012B866E mov eax, dword ptr fs:[00000030h]5_2_012B866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01222674 mov eax, dword ptr fs:[00000030h]5_2_01222674
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0120C640 mov eax, dword ptr fs:[00000030h]5_2_0120C640
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122C6A6 mov eax, dword ptr fs:[00000030h]5_2_0122C6A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F4690 mov eax, dword ptr fs:[00000030h]5_2_011F4690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F4690 mov eax, dword ptr fs:[00000030h]5_2_011F4690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012266B0 mov eax, dword ptr fs:[00000030h]5_2_012266B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126E6F2 mov eax, dword ptr fs:[00000030h]5_2_0126E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126E6F2 mov eax, dword ptr fs:[00000030h]5_2_0126E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126E6F2 mov eax, dword ptr fs:[00000030h]5_2_0126E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126E6F2 mov eax, dword ptr fs:[00000030h]5_2_0126E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012706F1 mov eax, dword ptr fs:[00000030h]5_2_012706F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012706F1 mov eax, dword ptr fs:[00000030h]5_2_012706F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122A6C7 mov ebx, dword ptr fs:[00000030h]5_2_0122A6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122A6C7 mov eax, dword ptr fs:[00000030h]5_2_0122A6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0128892B mov eax, dword ptr fs:[00000030h]5_2_0128892B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E8918 mov eax, dword ptr fs:[00000030h]5_2_011E8918
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E8918 mov eax, dword ptr fs:[00000030h]5_2_011E8918
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127892A mov eax, dword ptr fs:[00000030h]5_2_0127892A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126E908 mov eax, dword ptr fs:[00000030h]5_2_0126E908
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126E908 mov eax, dword ptr fs:[00000030h]5_2_0126E908
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127C912 mov eax, dword ptr fs:[00000030h]5_2_0127C912
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01216962 mov eax, dword ptr fs:[00000030h]5_2_01216962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01216962 mov eax, dword ptr fs:[00000030h]5_2_01216962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01216962 mov eax, dword ptr fs:[00000030h]5_2_01216962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0123096E mov eax, dword ptr fs:[00000030h]5_2_0123096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0123096E mov edx, dword ptr fs:[00000030h]5_2_0123096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0123096E mov eax, dword ptr fs:[00000030h]5_2_0123096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01294978 mov eax, dword ptr fs:[00000030h]5_2_01294978
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01294978 mov eax, dword ptr fs:[00000030h]5_2_01294978
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127C97C mov eax, dword ptr fs:[00000030h]5_2_0127C97C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01270946 mov eax, dword ptr fs:[00000030h]5_2_01270946
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C4940 mov eax, dword ptr fs:[00000030h]5_2_012C4940
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]5_2_012029A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]5_2_012029A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]5_2_012029A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]5_2_012029A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]5_2_012029A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]5_2_012029A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]5_2_012029A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]5_2_012029A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]5_2_012029A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]5_2_012029A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]5_2_012029A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]5_2_012029A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012029A0 mov eax, dword ptr fs:[00000030h]5_2_012029A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012789B3 mov esi, dword ptr fs:[00000030h]5_2_012789B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012789B3 mov eax, dword ptr fs:[00000030h]5_2_012789B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012789B3 mov eax, dword ptr fs:[00000030h]5_2_012789B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F09AD mov eax, dword ptr fs:[00000030h]5_2_011F09AD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F09AD mov eax, dword ptr fs:[00000030h]5_2_011F09AD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127E9E0 mov eax, dword ptr fs:[00000030h]5_2_0127E9E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FA9D0 mov eax, dword ptr fs:[00000030h]5_2_011FA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FA9D0 mov eax, dword ptr fs:[00000030h]5_2_011FA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FA9D0 mov eax, dword ptr fs:[00000030h]5_2_011FA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FA9D0 mov eax, dword ptr fs:[00000030h]5_2_011FA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FA9D0 mov eax, dword ptr fs:[00000030h]5_2_011FA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FA9D0 mov eax, dword ptr fs:[00000030h]5_2_011FA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012229F9 mov eax, dword ptr fs:[00000030h]5_2_012229F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012229F9 mov eax, dword ptr fs:[00000030h]5_2_012229F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012869C0 mov eax, dword ptr fs:[00000030h]5_2_012869C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012249D0 mov eax, dword ptr fs:[00000030h]5_2_012249D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012BA9D3 mov eax, dword ptr fs:[00000030h]5_2_012BA9D3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122A830 mov eax, dword ptr fs:[00000030h]5_2_0122A830
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129483A mov eax, dword ptr fs:[00000030h]5_2_0129483A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129483A mov eax, dword ptr fs:[00000030h]5_2_0129483A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01212835 mov eax, dword ptr fs:[00000030h]5_2_01212835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01212835 mov eax, dword ptr fs:[00000030h]5_2_01212835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01212835 mov eax, dword ptr fs:[00000030h]5_2_01212835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01212835 mov ecx, dword ptr fs:[00000030h]5_2_01212835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01212835 mov eax, dword ptr fs:[00000030h]5_2_01212835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01212835 mov eax, dword ptr fs:[00000030h]5_2_01212835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127C810 mov eax, dword ptr fs:[00000030h]5_2_0127C810
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F4859 mov eax, dword ptr fs:[00000030h]5_2_011F4859
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F4859 mov eax, dword ptr fs:[00000030h]5_2_011F4859
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127E872 mov eax, dword ptr fs:[00000030h]5_2_0127E872
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127E872 mov eax, dword ptr fs:[00000030h]5_2_0127E872
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01286870 mov eax, dword ptr fs:[00000030h]5_2_01286870
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01286870 mov eax, dword ptr fs:[00000030h]5_2_01286870
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01202840 mov ecx, dword ptr fs:[00000030h]5_2_01202840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01220854 mov eax, dword ptr fs:[00000030h]5_2_01220854
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F0887 mov eax, dword ptr fs:[00000030h]5_2_011F0887
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127C89D mov eax, dword ptr fs:[00000030h]5_2_0127C89D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012BA8E4 mov eax, dword ptr fs:[00000030h]5_2_012BA8E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122C8F9 mov eax, dword ptr fs:[00000030h]5_2_0122C8F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122C8F9 mov eax, dword ptr fs:[00000030h]5_2_0122C8F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121E8C0 mov eax, dword ptr fs:[00000030h]5_2_0121E8C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C08C0 mov eax, dword ptr fs:[00000030h]5_2_012C08C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121EB20 mov eax, dword ptr fs:[00000030h]5_2_0121EB20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121EB20 mov eax, dword ptr fs:[00000030h]5_2_0121EB20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012B8B28 mov eax, dword ptr fs:[00000030h]5_2_012B8B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012B8B28 mov eax, dword ptr fs:[00000030h]5_2_012B8B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C4B00 mov eax, dword ptr fs:[00000030h]5_2_012C4B00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]5_2_0126EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]5_2_0126EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]5_2_0126EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]5_2_0126EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]5_2_0126EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]5_2_0126EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]5_2_0126EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]5_2_0126EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126EB1D mov eax, dword ptr fs:[00000030h]5_2_0126EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011E8B50 mov eax, dword ptr fs:[00000030h]5_2_011E8B50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011ECB7E mov eax, dword ptr fs:[00000030h]5_2_011ECB7E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012A4B4B mov eax, dword ptr fs:[00000030h]5_2_012A4B4B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012A4B4B mov eax, dword ptr fs:[00000030h]5_2_012A4B4B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01286B40 mov eax, dword ptr fs:[00000030h]5_2_01286B40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01286B40 mov eax, dword ptr fs:[00000030h]5_2_01286B40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012BAB40 mov eax, dword ptr fs:[00000030h]5_2_012BAB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01298B42 mov eax, dword ptr fs:[00000030h]5_2_01298B42
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129EB50 mov eax, dword ptr fs:[00000030h]5_2_0129EB50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C2B57 mov eax, dword ptr fs:[00000030h]5_2_012C2B57
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C2B57 mov eax, dword ptr fs:[00000030h]5_2_012C2B57
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C2B57 mov eax, dword ptr fs:[00000030h]5_2_012C2B57
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C2B57 mov eax, dword ptr fs:[00000030h]5_2_012C2B57
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012A4BB0 mov eax, dword ptr fs:[00000030h]5_2_012A4BB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012A4BB0 mov eax, dword ptr fs:[00000030h]5_2_012A4BB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200BBE mov eax, dword ptr fs:[00000030h]5_2_01200BBE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200BBE mov eax, dword ptr fs:[00000030h]5_2_01200BBE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F0BCD mov eax, dword ptr fs:[00000030h]5_2_011F0BCD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F0BCD mov eax, dword ptr fs:[00000030h]5_2_011F0BCD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F0BCD mov eax, dword ptr fs:[00000030h]5_2_011F0BCD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127CBF0 mov eax, dword ptr fs:[00000030h]5_2_0127CBF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121EBFC mov eax, dword ptr fs:[00000030h]5_2_0121EBFC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01210BCB mov eax, dword ptr fs:[00000030h]5_2_01210BCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01210BCB mov eax, dword ptr fs:[00000030h]5_2_01210BCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01210BCB mov eax, dword ptr fs:[00000030h]5_2_01210BCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F8BF0 mov eax, dword ptr fs:[00000030h]5_2_011F8BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F8BF0 mov eax, dword ptr fs:[00000030h]5_2_011F8BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F8BF0 mov eax, dword ptr fs:[00000030h]5_2_011F8BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129EBD0 mov eax, dword ptr fs:[00000030h]5_2_0129EBD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122CA24 mov eax, dword ptr fs:[00000030h]5_2_0122CA24
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0121EA2E mov eax, dword ptr fs:[00000030h]5_2_0121EA2E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01214A35 mov eax, dword ptr fs:[00000030h]5_2_01214A35
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01214A35 mov eax, dword ptr fs:[00000030h]5_2_01214A35
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122CA38 mov eax, dword ptr fs:[00000030h]5_2_0122CA38
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0127CA11 mov eax, dword ptr fs:[00000030h]5_2_0127CA11
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0129EA60 mov eax, dword ptr fs:[00000030h]5_2_0129EA60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122CA6F mov eax, dword ptr fs:[00000030h]5_2_0122CA6F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122CA6F mov eax, dword ptr fs:[00000030h]5_2_0122CA6F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0122CA6F mov eax, dword ptr fs:[00000030h]5_2_0122CA6F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F6A50 mov eax, dword ptr fs:[00000030h]5_2_011F6A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F6A50 mov eax, dword ptr fs:[00000030h]5_2_011F6A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F6A50 mov eax, dword ptr fs:[00000030h]5_2_011F6A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F6A50 mov eax, dword ptr fs:[00000030h]5_2_011F6A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F6A50 mov eax, dword ptr fs:[00000030h]5_2_011F6A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F6A50 mov eax, dword ptr fs:[00000030h]5_2_011F6A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011F6A50 mov eax, dword ptr fs:[00000030h]5_2_011F6A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126CA72 mov eax, dword ptr fs:[00000030h]5_2_0126CA72
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0126CA72 mov eax, dword ptr fs:[00000030h]5_2_0126CA72
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200A5B mov eax, dword ptr fs:[00000030h]5_2_01200A5B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01200A5B mov eax, dword ptr fs:[00000030h]5_2_01200A5B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01246AA4 mov eax, dword ptr fs:[00000030h]5_2_01246AA4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]5_2_011FEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]5_2_011FEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]5_2_011FEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]5_2_011FEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]5_2_011FEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]5_2_011FEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]5_2_011FEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]5_2_011FEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_011FEA80 mov eax, dword ptr fs:[00000030h]5_2_011FEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_012C4A80 mov eax, dword ptr fs:[00000030h]5_2_012C4A80
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe"
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe"Jump to behavior
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 80C008Jump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe"Jump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Users\user\Desktop\RFQ STS3780082024.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ STS3780082024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1758552750.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1758552750.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		311
            Process Injection            		1
            Masquerading            		OS Credential Dumping21
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		12
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		11
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
            Obfuscated Files or Information            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1500397 Sample: RFQ STS3780082024.exe Startdate: 28/08/2024 Architecture: WINDOWS Score: 100 22 Malicious sample detected (through community Yara rule) 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected FormBook 2->26 28 7 other signatures 2->28 7 RFQ STS3780082024.exe 4 2->7         started        process3 file4 20 C:\Users\user\...\RFQ STS3780082024.exe.log, ASCII 7->20 dropped 30 Writes to foreign memory regions 7->30 32 Allocates memory in foreign processes 7->32 34 Adds a directory exclusion to Windows Defender 7->34 36 Injects a PE file into a foreign processes 7->36 11 powershell.exe 23 7->11         started        14 MSBuild.exe 7->14         started        16 MSBuild.exe 7->16         started        signatures5 process6 signatures7 38 Loading BitLocker PowerShell Module 11->38 18 conhost.exe 11->18         started        process8

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            RFQ STS3780082024.exe50%ReversingLabsByteCode-MSIL.Spyware.Negasteal
            RFQ STS3780082024.exe63%VirustotalBrowse
            RFQ STS3780082024.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            bg.microsoft.map.fastly.net0%VirustotalBrowse
            fp2e7a.wpc.phicdn.net0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.fontbureau.com0%URL Reputationsafe
            http://www.fontbureau.com0%URL Reputationsafe
            http://www.fontbureau.com/designersG0%URL Reputationsafe
            http://www.fontbureau.com/designers/?0%URL Reputationsafe
            http://www.fontbureau.com/designers/?0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.fontbureau.com/designers?0%URL Reputationsafe
            http://www.fontbureau.com/designers?0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.fontbureau.com/designers0%URL Reputationsafe
            http://www.fontbureau.com/designers0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.apache.org/licenses/LICENSE-2.00%Avira URL Cloudsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.fontbureau.com/designers80%URL Reputationsafe
            http://www.fonts.com0%URL Reputationsafe
            http://www.fonts.com0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://tempuri.org/tt.xsd;VP_Lab_6.Properties.Resources0%Avira URL Cloudsafe
            http://tempuri.org/tt.xsd;VP_Lab_6.Properties.Resources1%VirustotalBrowse
            http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            bg.microsoft.map.fastly.net
            		199.232.210.172
            		truefalseunknown
            fp2e7a.wpc.phicdn.net
            		192.229.221.95
            		truefalseunknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.apache.org/licenses/LICENSE-2.0RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.fontbureau.comRFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designersGRFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers/?RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.founder.com.cn/cn/bTheRFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers?RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.tiro.comRFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designersRFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.goodfont.co.krRFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://tempuri.org/tt.xsd;VP_Lab_6.Properties.ResourcesRFQ STS3780082024.exefalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.carterandcone.comlRFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.sajatypeworks.comRFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.typography.netDRFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers/cabarga.htmlNRFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.founder.com.cn/cn/cTheRFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.galapagosdesign.com/staff/dennis.htmRFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.founder.com.cn/cnRFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers/frere-user.htmlRFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.jiyu-kobo.co.jp/RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.galapagosdesign.com/DPleaseRFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers8RFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fonts.comRFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.sandoll.co.krRFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.urwpp.deDPleaseRFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.zhongyicts.com.cnRFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRFQ STS3780082024.exe, 00000000.00000002.1698168982.000000000282A000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.sakkal.comRFQ STS3780082024.exe, 00000000.00000002.1700359196.0000000006972000.00000004.00000800.00020000.00000000.sdmp, RFQ STS3780082024.exe, 00000000.00000002.1700223321.00000000051F4000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1500397
            Start date and time:2024-08-28 12:12:07 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 6m 0s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:10
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:RFQ STS3780082024.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@8/6@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 97%
            • Number of executed functions: 42
            • Number of non-executed functions: 271
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 184.28.90.27, 40.68.123.157, 199.232.210.172, 192.229.221.95, 20.3.187.198
            • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            06:12:55API Interceptor1x Sleep call for process: RFQ STS3780082024.exe modified
            06:12:57API Interceptor8x Sleep call for process: powershell.exe modified
            06:13:04API Interceptor3x Sleep call for process: MSBuild.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            bg.microsoft.map.fastly.netUploadCustomersTemplate(2).xlsmGet hashmaliciousUnknownBrowse
            • 199.232.214.172
            SharkHCShark.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
            • 199.232.210.172
            UploadCustomersTemplate(2).xlsmGet hashmaliciousUnknownBrowse
            • 199.232.214.172
            https://en.aiacademy.twGet hashmaliciousUnknownBrowse
            • 199.232.210.172
            https://emea.dcv.ms/haHCQHi4RDGet hashmaliciousHTMLPhisherBrowse
            • 199.232.214.172
            https://aka.ms/LearnAboutSenderIdentificationGet hashmaliciousHTMLPhisherBrowse
            • 199.232.214.172
            http://tekrollindustrial.com.br/wp-includes/kr.html#kh.jang@hyundaimovex.comGet hashmaliciousHTMLPhisherBrowse
            • 199.232.210.172
            https://my-apps-885d2a67.azurewebsites.netGet hashmaliciousHTMLPhisherBrowse
            • 199.232.214.172
            LX4CUQO8qI.dllGet hashmaliciousCobaltStrikeBrowse
            • 199.232.210.172
            ibero.batGet hashmaliciousSilverRatBrowse
            • 199.232.210.172
            fp2e7a.wpc.phicdn.nethttps://s3.amazonaws.com/i0a07640/3/reschedule8.htmGet hashmaliciousUnknownBrowse
            • 192.229.221.95
            SharkHCShark.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
            • 192.229.221.95
            https://en.aiacademy.twGet hashmaliciousUnknownBrowse
            • 192.229.221.95
            https://dropbox-files-online.tiiny.site/?token=69090208-80b8-4346-ad00-dfe054582d02=&ci=example@domain.comGet hashmaliciousHTMLPhisherBrowse
            • 192.229.221.95
            https://emea.dcv.ms/haHCQHi4RDGet hashmaliciousHTMLPhisherBrowse
            • 192.229.221.95
            https://aka.ms/LearnAboutSenderIdentificationGet hashmaliciousHTMLPhisherBrowse
            • 192.229.221.95
            http://tekrollindustrial.com.br/wp-includes/kr.html#kh.jang@hyundaimovex.comGet hashmaliciousHTMLPhisherBrowse
            • 192.229.221.95
            https://my-apps-885d2a67.azurewebsites.netGet hashmaliciousHTMLPhisherBrowse
            • 192.229.221.95
            https://www.wpspublish.com/customer/account/createPassword/?id=28732&token=k5FPAv4ZQlJ0DbFv9HIliRQV9FN7ztvsGet hashmaliciousUnknownBrowse
            • 192.229.221.95
            https://bonanzapipeandsteel.marslccs.info/Get hashmaliciousHTMLPhisherBrowse
            • 192.229.221.95

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ STS3780082024.exe.log

            Download File
            Process:C:\Users\user\Desktop\RFQ STS3780082024.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1216
            Entropy (8bit):5.34331486778365
            Encrypted:false
            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
            MD5:1330C80CAAC9A0FB172F202485E9B1E8
            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
            Malicious:true
            Reputation:high, very likely benign file
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):1172
            Entropy (8bit):5.354777075714867
            Encrypted:false
            SSDEEP:24:3gWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NKIl9r6dj:QWSU4y4RQmFoUeWmfmZ9tK8NDE
            MD5:92C17FC0DE8449D1E50ED56DBEBAA35D
            SHA1:A617D392757DC7B1BEF28448B72CBD131CF4D0FB
            SHA-256:DA2D2B57AFF1C99E62DD8102CF4DB3F2F0621D687D275BFAF3DB77772131E485
            SHA-512:603922B790E772A480C9BF4CFD621827085B0070131EF29DC283F0E901CF783034384F8815C092D79A6EA5DF382EF78AF5AC3D81EBD118D2D5C1E623CE5553D1
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview:@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ukbocuc.xhg.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Reputation:high, very likely benign file
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aj4revyi.lf2.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Reputation:high, very likely benign file
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rdoz4beh.t1g.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vplyho4s.lei.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):7.765055268975442
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            • Win32 Executable (generic) a (10002005/4) 49.78%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Generic Win/DOS Executable (2004/3) 0.01%
            • DOS Executable Generic (2002/1) 0.01%
            File name:RFQ STS3780082024.exe
            File size:816'640 bytes
            MD5:9a057309180e58b6f230abfddd69d641
            SHA1:fdd107e8261be425264c7863b07cdbaec37a23cf
            SHA256:f758dbb63208445f8ed1f1d8bb648759ba6f1b8116b6ecd2ef996f8be008128b
            SHA512:acd0bafc14f9407efa966e2f93a45cceeeecef145cd021bf1fd28689cdc4ba8d678d31d2390c57f3f00d63720b38bb15edffcbdea496cab29f2602bcff203a93
            SSDEEP:12288:J4psMlFytfdaeytmhMkYdqBrpBpYys5GQypWGyxoL4iL0sa0FUpH+UaRQ4HX3EyU:J4LeOdqBVBgoDyRiAgFUpeUQR33z6p
            TLSH:850501682605EA13DAA597F509F0F278137C6EC9B902E2139FD8BDEBB836F005D45187
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5..f..............0..T... ......bs... ........@.. ....................................@................................

            File Icon

            Icon Hash:ecf092ceccd0c4c4

            Static PE Info

            General

            Entrypoint:0x4c7362
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x66CDE135 [Tue Aug 27 14:22:45 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add dword ptr [eax], eax
            add byte ptr [eax], al
            add al, byte ptr [eax]
            add byte ptr [eax], al
            add eax, dword ptr [eax]
            add byte ptr [eax], al
            add al, 00h
            add byte ptr [eax], al
            add eax, 06000000h
            add byte ptr [eax], al
            add byte ptr [edi], al
            add byte ptr [eax], al
            add byte ptr [eax], cl
            add byte ptr [eax], al
            add byte ptr [ecx], cl
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xc73100x4f.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x1de4.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xca0000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000xc53900xc5400171639b42b4b9cf2750264e181cceef2False0.9063081729245881data7.771271485735661IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rsrc0xc80000x1de40x1e005351820941cc5960c96a0fe6f65810c2False0.8223958333333333data7.2553266911668395IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xca0000xc0x200ba5e0c79fa5d9784f9b61a2042a2c4acFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0xc81000x17f9PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9074466351637608
            RT_GROUP_ICON0xc990c0x14data1.05
            RT_VERSION0xc99300x2b2data0.45217391304347826
            RT_MANIFEST0xc9bf40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Aug 28, 2024 12:12:51.899056911 CEST49675443192.168.2.4173.222.162.32
            Aug 28, 2024 12:13:01.508373976 CEST49675443192.168.2.4173.222.162.32
            Aug 28, 2024 12:14:08.820911884 CEST4972380192.168.2.4199.232.214.172
            Aug 28, 2024 12:14:08.826283932 CEST8049723199.232.214.172192.168.2.4
            Aug 28, 2024 12:14:08.826334953 CEST4972380192.168.2.4199.232.214.172

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Aug 28, 2024 12:13:14.936080933 CEST1.1.1.1192.168.2.40xc50cNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
            Aug 28, 2024 12:13:14.936080933 CEST1.1.1.1192.168.2.40xc50cNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
            Aug 28, 2024 12:13:15.426440001 CEST1.1.1.1192.168.2.40xf12aNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
            Aug 28, 2024 12:13:15.426440001 CEST1.1.1.1192.168.2.40xf12aNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
            Aug 28, 2024 12:13:28.906732082 CEST1.1.1.1192.168.2.40xbe62No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
            Aug 28, 2024 12:13:28.906732082 CEST1.1.1.1192.168.2.40xbe62No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:06:12:54
            Start date:28/08/2024
            Path:C:\Users\user\Desktop\RFQ STS3780082024.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\RFQ STS3780082024.exe"
            Imagebase:0x4c0000
            File size:816'640 bytes
            MD5 hash:9A057309180E58B6F230ABFDDD69D641
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:06:12:57
            Start date:28/08/2024
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ STS3780082024.exe"
            Imagebase:0x970000
            File size:433'152 bytes
            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:3
            Start time:06:12:57
            Start date:28/08/2024
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            Imagebase:0x2d0000
            File size:262'432 bytes
            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:4
            Start time:06:12:57
            Start date:28/08/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:5
            Start time:06:12:57
            Start date:28/08/2024
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            Imagebase:0x6d0000
            File size:262'432 bytes
            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1758552750.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.1758552750.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:12%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:240
              Total number of Limit Nodes:13
              execution_graph 21084 27b4668 21085 27b467a 21084->21085 21089 27b4686 21085->21089 21090 27b4779 21085->21090 21087 27b46a5 21095 27b3e40 21089->21095 21091 27b479d 21090->21091 21099 27b4879 21091->21099 21103 27b4888 21091->21103 21092 27b47a7 21092->21089 21096 27b3e4b 21095->21096 21111 27b5d28 21096->21111 21098 27b721f 21098->21087 21100 27b48af 21099->21100 21102 27b498c 21100->21102 21107 27b44c4 21100->21107 21102->21092 21104 27b48af 21103->21104 21105 27b44c4 CreateActCtxA 21104->21105 21106 27b498c 21104->21106 21105->21106 21106->21092 21108 27b5918 CreateActCtxA 21107->21108 21110 27b59db 21108->21110 21110->21110 21112 27b5d33 21111->21112 21115 27b5d74 21112->21115 21114 27b7395 21114->21098 21116 27b5d7f 21115->21116 21119 27b5da4 21116->21119 21118 27b747a 21118->21114 21120 27b5daf 21119->21120 21123 27b5dd4 21120->21123 21122 27b756d 21122->21118 21124 27b5ddf 21123->21124 21126 27b8acb 21124->21126 21130 27bb180 21124->21130 21125 27b8b09 21125->21122 21126->21125 21134 27bd278 21126->21134 21139 27bd268 21126->21139 21144 27bb1b8 21130->21144 21148 27bb1a8 21130->21148 21131 27bb196 21131->21126 21135 27bd299 21134->21135 21136 27bd2bd 21135->21136 21191 27bd428 21135->21191 21195 27bd3e5 21135->21195 21136->21125 21140 27bd299 21139->21140 21141 27bd2bd 21140->21141 21142 27bd428 4 API calls 21140->21142 21143 27bd3e5 4 API calls 21140->21143 21141->21125 21142->21141 21143->21141 21153 27bb29f 21144->21153 21163 27bb2b0 21144->21163 21145 27bb1c7 21145->21131 21149 27bb1b8 21148->21149 21151 27bb29f 3 API calls 21149->21151 21152 27bb2b0 3 API calls 21149->21152 21150 27bb1c7 21150->21131 21151->21150 21152->21150 21154 27bb2b0 21153->21154 21157 27bb2e4 21154->21157 21173 27bac64 21154->21173 21157->21145 21158 27bb2dc 21158->21157 21159 27bb4e8 GetModuleHandleW 21158->21159 21160 27bb515 21159->21160 21160->21145 21164 27bb2c1 21163->21164 21167 27bb2e4 21163->21167 21165 27bac64 GetModuleHandleW 21164->21165 21166 27bb2cc 21165->21166 21166->21167 21171 27bb53a 2 API calls 21166->21171 21172 27bb548 2 API calls 21166->21172 21167->21145 21168 27bb2dc 21168->21167 21169 27bb4e8 GetModuleHandleW 21168->21169 21170 27bb515 21169->21170 21170->21145 21171->21168 21172->21168 21174 27bb4a0 GetModuleHandleW 21173->21174 21176 27bb2cc 21174->21176 21176->21157 21177 27bb548 21176->21177 21182 27bb53a 21176->21182 21178 27bac64 GetModuleHandleW 21177->21178 21179 27bb55c 21178->21179 21180 27bb581 21179->21180 21187 27bacc8 21179->21187 21180->21158 21183 27bac64 GetModuleHandleW 21182->21183 21184 27bb55c 21182->21184 21183->21184 21185 27bacc8 LoadLibraryExW 21184->21185 21186 27bb581 21184->21186 21185->21186 21186->21158 21188 27bb728 LoadLibraryExW 21187->21188 21190 27bb7a1 21188->21190 21190->21180 21192 27bd435 21191->21192 21193 27bd46f 21192->21193 21199 27bcf88 21192->21199 21193->21136 21196 27bd435 21195->21196 21197 27bd46f 21196->21197 21198 27bcf88 4 API calls 21196->21198 21197->21136 21198->21197 21200 27bcf93 21199->21200 21202 27bdd80 21200->21202 21203 27bd0b4 21200->21203 21202->21202 21204 27bd0bf 21203->21204 21205 27b5dd4 4 API calls 21204->21205 21206 27bddef 21205->21206 21206->21202 21207 6f3ad98 21208 6f3af23 21207->21208 21210 6f3adbe 21207->21210 21210->21208 21211 6f389a8 21210->21211 21212 6f3b018 PostMessageW 21211->21212 21213 6f3b084 21212->21213 21213->21210 21214 27bd540 21215 27bd586 21214->21215 21219 27bd720 21215->21219 21222 27bd710 21215->21222 21216 27bd673 21225 27bd050 21219->21225 21223 27bd74e 21222->21223 21224 27bd050 DuplicateHandle 21222->21224 21223->21216 21224->21223 21226 27bd788 DuplicateHandle 21225->21226 21227 27bd74e 21226->21227 21227->21216 21228 6f384cd 21229 6f384d3 21228->21229 21233 6f39aa0 21229->21233 21251 6f39a91 21229->21251 21230 6f384de 21234 6f39aba 21233->21234 21235 6f39ac2 21234->21235 21269 6f39f41 21234->21269 21273 6f3a502 21234->21273 21277 6f3a1a2 21234->21277 21281 6f3a1fc 21234->21281 21285 6f3a33d 21234->21285 21290 6f39fbd 21234->21290 21299 6f3a15f 21234->21299 21303 6f39f9b 21234->21303 21308 6f3a275 21234->21308 21313 6f39ed7 21234->21313 21318 6f3a3d0 21234->21318 21323 6f3a231 21234->21323 21327 6f3a1d3 21234->21327 21332 6f3a04e 21234->21332 21336 6f3a005 21234->21336 21235->21230 21252 6f39aba 21251->21252 21253 6f3a1d3 2 API calls 21252->21253 21254 6f3a231 2 API calls 21252->21254 21255 6f3a3d0 2 API calls 21252->21255 21256 6f39ed7 2 API calls 21252->21256 21257 6f39ac2 21252->21257 21258 6f3a275 2 API calls 21252->21258 21259 6f39f9b 2 API calls 21252->21259 21260 6f3a15f 2 API calls 21252->21260 21261 6f39fbd 4 API calls 21252->21261 21262 6f3a33d 2 API calls 21252->21262 21263 6f3a1fc 2 API calls 21252->21263 21264 6f3a1a2 2 API calls 21252->21264 21265 6f3a502 2 API calls 21252->21265 21266 6f39f41 2 API calls 21252->21266 21267 6f3a005 2 API calls 21252->21267 21268 6f3a04e 2 API calls 21252->21268 21253->21257 21254->21257 21255->21257 21256->21257 21257->21230 21258->21257 21259->21257 21260->21257 21261->21257 21262->21257 21263->21257 21264->21257 21265->21257 21266->21257 21267->21257 21268->21257 21270 6f39f7c 21269->21270 21340 6f37e58 21269->21340 21344 6f37e4c 21269->21344 21270->21235 21348 6f37600 21273->21348 21352 6f375f9 21273->21352 21274 6f3a51c 21356 6f3ab30 21277->21356 21362 6f3ab40 21277->21362 21278 6f3a1be 21278->21235 21282 6f3a04d 21281->21282 21282->21235 21375 6f37550 21282->21375 21379 6f37549 21282->21379 21286 6f3a343 21285->21286 21383 6f37bd0 21286->21383 21387 6f37bc9 21286->21387 21287 6f3a36e 21287->21235 21287->21287 21291 6f39fd8 21290->21291 21292 6f3a002 21290->21292 21291->21292 21294 6f39fa4 21291->21294 21297 6f37550 ResumeThread 21292->21297 21298 6f37549 ResumeThread 21292->21298 21293 6f3a744 21295 6f37bd0 WriteProcessMemory 21294->21295 21296 6f37bc9 WriteProcessMemory 21294->21296 21295->21293 21296->21293 21297->21292 21298->21292 21301 6f37600 Wow64SetThreadContext 21299->21301 21302 6f375f9 Wow64SetThreadContext 21299->21302 21300 6f3a179 21301->21300 21302->21300 21305 6f39fa4 21303->21305 21304 6f3a744 21306 6f37bd0 WriteProcessMemory 21305->21306 21307 6f37bc9 WriteProcessMemory 21305->21307 21306->21304 21307->21304 21309 6f39fa4 21308->21309 21309->21308 21311 6f37bd0 WriteProcessMemory 21309->21311 21312 6f37bc9 WriteProcessMemory 21309->21312 21310 6f3a744 21311->21310 21312->21310 21314 6f39ee5 21313->21314 21316 6f37e58 CreateProcessA 21314->21316 21317 6f37e4c CreateProcessA 21314->21317 21315 6f39f7c 21315->21235 21316->21315 21317->21315 21319 6f3a3d6 21318->21319 21321 6f37bd0 WriteProcessMemory 21319->21321 21322 6f37bc9 WriteProcessMemory 21319->21322 21320 6f3a36e 21320->21235 21321->21320 21322->21320 21391 6f37cc0 21323->21391 21395 6f37cba 21323->21395 21324 6f3a256 21328 6f3a1f6 21327->21328 21330 6f37bd0 WriteProcessMemory 21328->21330 21331 6f37bc9 WriteProcessMemory 21328->21331 21329 6f3a68f 21330->21329 21331->21329 21333 6f3a068 21332->21333 21334 6f37550 ResumeThread 21333->21334 21335 6f37549 ResumeThread 21333->21335 21334->21333 21335->21333 21337 6f3a00b 21336->21337 21338 6f37550 ResumeThread 21337->21338 21339 6f37549 ResumeThread 21337->21339 21338->21337 21339->21337 21341 6f37ee1 21340->21341 21341->21341 21342 6f38046 CreateProcessA 21341->21342 21343 6f380a3 21342->21343 21345 6f37e52 CreateProcessA 21344->21345 21347 6f380a3 21345->21347 21347->21347 21349 6f37645 Wow64SetThreadContext 21348->21349 21351 6f3768d 21349->21351 21351->21274 21353 6f37600 Wow64SetThreadContext 21352->21353 21355 6f3768d 21353->21355 21355->21274 21357 6f3ab3e 21356->21357 21358 6f3ab12 21356->21358 21367 6f37b10 21357->21367 21371 6f37b08 21357->21371 21358->21278 21359 6f3ab74 21359->21278 21363 6f3ab55 21362->21363 21365 6f37b10 VirtualAllocEx 21363->21365 21366 6f37b08 VirtualAllocEx 21363->21366 21364 6f3ab74 21364->21278 21365->21364 21366->21364 21368 6f37b50 VirtualAllocEx 21367->21368 21370 6f37b8d 21368->21370 21370->21359 21372 6f37b10 VirtualAllocEx 21371->21372 21374 6f37b8d 21372->21374 21374->21359 21376 6f37590 ResumeThread 21375->21376 21378 6f375c1 21376->21378 21378->21282 21380 6f37550 ResumeThread 21379->21380 21382 6f375c1 21380->21382 21382->21282 21384 6f37c18 WriteProcessMemory 21383->21384 21386 6f37c6f 21384->21386 21386->21287 21388 6f37bd0 WriteProcessMemory 21387->21388 21390 6f37c6f 21388->21390 21390->21287 21392 6f37d0b ReadProcessMemory 21391->21392 21394 6f37d4f 21392->21394 21394->21324 21396 6f37d0b ReadProcessMemory 21395->21396 21398 6f37d4f 21396->21398 21398->21324

              Executed Functions

              Function 06F321C0 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ee464e5dc99e00701cd8ed611dc6e6a6fcf5d2d0d1a9a22567c82ab2796cdeac
              • Instruction ID: 13a676abbf716596562770e5e75f137f7db00484b0265b0a663f09eef479f8a2
              • Opcode Fuzzy Hash: ee464e5dc99e00701cd8ed611dc6e6a6fcf5d2d0d1a9a22567c82ab2796cdeac
              • Instruction Fuzzy Hash: F52105B1D096598FEB48CF96C9447EEBBB6AFC9300F04C06AD409A6268DB7406458F90
              Function 06F321D0 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b65d8643f2150d757d0ca050bd95c07997075df2580a5a36a595d16829393a65
              • Instruction ID: acea20e8753ba3a2af1e1d8114b3dbe0143ee85c27799fe36f5eeb4d51e8b551
              • Opcode Fuzzy Hash: b65d8643f2150d757d0ca050bd95c07997075df2580a5a36a595d16829393a65
              • Instruction Fuzzy Hash: 8221C4B1D056298BEB58CF9BC9447EEFAF7AFC9340F04C06AD41966268DB740A45CF90
              Function 06F3A0D6 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 57a86eee6b92d5c809d36e99fe1311d7b8919ff59c2d5d6cf407782a37d99268
              • Instruction ID: e9683b89655099f70496f0c470eb13002a25718e5a2bf026278b49ed378f0e06
              • Opcode Fuzzy Hash: 57a86eee6b92d5c809d36e99fe1311d7b8919ff59c2d5d6cf407782a37d99268
              • Instruction Fuzzy Hash: 60D02263C8F024DFEF801F91AC000F8F77CEAC7261F073083C19CA3046822A821A86D9
              Function 027BB2B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 304 27bb2b0-27bb2bf 305 27bb2eb-27bb2ef 304->305 306 27bb2c1-27bb2ce call 27bac64 304->306 307 27bb303-27bb344 305->307 308 27bb2f1-27bb2fb 305->308 311 27bb2d0 306->311 312 27bb2e4 306->312 315 27bb351-27bb35f 307->315 316 27bb346-27bb34e 307->316 308->307 361 27bb2d6 call 27bb53a 311->361 362 27bb2d6 call 27bb548 311->362 312->305 318 27bb383-27bb385 315->318 319 27bb361-27bb366 315->319 316->315 317 27bb2dc-27bb2de 317->312 320 27bb420-27bb439 317->320 321 27bb388-27bb38f 318->321 322 27bb368-27bb36f call 27bac70 319->322 323 27bb371 319->323 337 27bb43e-27bb498 320->337 326 27bb39c-27bb3a3 321->326 327 27bb391-27bb399 321->327 325 27bb373-27bb381 322->325 323->325 325->321 329 27bb3b0-27bb3b9 call 27bac80 326->329 330 27bb3a5-27bb3ad 326->330 327->326 335 27bb3bb-27bb3c3 329->335 336 27bb3c6-27bb3cb 329->336 330->329 335->336 338 27bb3e9-27bb3f6 336->338 339 27bb3cd-27bb3d4 336->339 355 27bb49a-27bb4e0 337->355 346 27bb419-27bb41f 338->346 347 27bb3f8-27bb416 338->347 339->338 341 27bb3d6-27bb3e6 call 27bac90 call 27baca0 339->341 341->338 347->346 356 27bb4e8-27bb513 GetModuleHandleW 355->356 357 27bb4e2-27bb4e5 355->357 358 27bb51c-27bb530 356->358 359 27bb515-27bb51b 356->359 357->356 359->358 361->317 362->317
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1697970753.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_27b0000_RFQ STS3780082024.jbxd
              Similarity
              • API ID: HandleModule
              • String ID: 0O$0O
              • API String ID: 4139908857-234839962
              • Opcode ID: 007feb04d4b38508ebdc5b063f3ae9a35117f3228abbd4cbeba54249339cb325
              • Instruction ID: adc41d34c69757003fb2de6338d558cf5d2573dda5e12e0ed186af55fc7404ae
              • Opcode Fuzzy Hash: 007feb04d4b38508ebdc5b063f3ae9a35117f3228abbd4cbeba54249339cb325
              • Instruction Fuzzy Hash: B5711370A00B058FD765DF6AD05479ABBF1FF88308F00892DD88697A50DB75E945CB90
              Function 06F37E4C Relevance: 1.8, APIs: 1, Instructions: 251processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 538 6f37e4c-6f37eed 542 6f37f26-6f37f46 538->542 543 6f37eef-6f37ef9 538->543 550 6f37f48-6f37f52 542->550 551 6f37f7f-6f37fae 542->551 543->542 544 6f37efb-6f37efd 543->544 545 6f37f20-6f37f23 544->545 546 6f37eff-6f37f09 544->546 545->542 548 6f37f0b 546->548 549 6f37f0d-6f37f1c 546->549 548->549 549->549 553 6f37f1e 549->553 550->551 552 6f37f54-6f37f56 550->552 559 6f37fb0-6f37fba 551->559 560 6f37fe7-6f380a1 CreateProcessA 551->560 554 6f37f79-6f37f7c 552->554 555 6f37f58-6f37f62 552->555 553->545 554->551 557 6f37f66-6f37f75 555->557 558 6f37f64 555->558 557->557 561 6f37f77 557->561 558->557 559->560 562 6f37fbc-6f37fbe 559->562 571 6f380a3-6f380a9 560->571 572 6f380aa-6f38130 560->572 561->554 564 6f37fe1-6f37fe4 562->564 565 6f37fc0-6f37fca 562->565 564->560 566 6f37fce-6f37fdd 565->566 567 6f37fcc 565->567 566->566 569 6f37fdf 566->569 567->566 569->564 571->572 582 6f38132-6f38136 572->582 583 6f38140-6f38144 572->583 582->583 584 6f38138 582->584 585 6f38146-6f3814a 583->585 586 6f38154-6f38158 583->586 584->583 585->586 589 6f3814c 585->589 587 6f3815a-6f3815e 586->587 588 6f38168-6f3816c 586->588 587->588 590 6f38160 587->590 591 6f3817e-6f38185 588->591 592 6f3816e-6f38174 588->592 589->586 590->588 593 6f38187-6f38196 591->593 594 6f3819c 591->594 592->591 593->594 596 6f3819d 594->596 596->596
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F3808E
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 81b8f3d8d48600c2bcfa6f83dc9018ec167a78b961a2f07cd18304fb6ffb9ed5
              • Instruction ID: f0f8a2f082cf8319ceaea5732b117a8515677bac6d31727627218bc1bd3a6a21
              • Opcode Fuzzy Hash: 81b8f3d8d48600c2bcfa6f83dc9018ec167a78b961a2f07cd18304fb6ffb9ed5
              • Instruction Fuzzy Hash: 9BA17CB1D00229DFDB50DFA8C840BEEBBB2BF44310F1485A9E858A7250DB749985CF91
              Function 06F37E58 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 597 6f37e58-6f37eed 599 6f37f26-6f37f46 597->599 600 6f37eef-6f37ef9 597->600 607 6f37f48-6f37f52 599->607 608 6f37f7f-6f37fae 599->608 600->599 601 6f37efb-6f37efd 600->601 602 6f37f20-6f37f23 601->602 603 6f37eff-6f37f09 601->603 602->599 605 6f37f0b 603->605 606 6f37f0d-6f37f1c 603->606 605->606 606->606 610 6f37f1e 606->610 607->608 609 6f37f54-6f37f56 607->609 616 6f37fb0-6f37fba 608->616 617 6f37fe7-6f380a1 CreateProcessA 608->617 611 6f37f79-6f37f7c 609->611 612 6f37f58-6f37f62 609->612 610->602 611->608 614 6f37f66-6f37f75 612->614 615 6f37f64 612->615 614->614 618 6f37f77 614->618 615->614 616->617 619 6f37fbc-6f37fbe 616->619 628 6f380a3-6f380a9 617->628 629 6f380aa-6f38130 617->629 618->611 621 6f37fe1-6f37fe4 619->621 622 6f37fc0-6f37fca 619->622 621->617 623 6f37fce-6f37fdd 622->623 624 6f37fcc 622->624 623->623 626 6f37fdf 623->626 624->623 626->621 628->629 639 6f38132-6f38136 629->639 640 6f38140-6f38144 629->640 639->640 641 6f38138 639->641 642 6f38146-6f3814a 640->642 643 6f38154-6f38158 640->643 641->640 642->643 646 6f3814c 642->646 644 6f3815a-6f3815e 643->644 645 6f38168-6f3816c 643->645 644->645 647 6f38160 644->647 648 6f3817e-6f38185 645->648 649 6f3816e-6f38174 645->649 646->643 647->645 650 6f38187-6f38196 648->650 651 6f3819c 648->651 649->648 650->651 653 6f3819d 651->653 653->653
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F3808E
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 424272cd51468b1328472ee48ebe239d1d63c7a27eddeeaa307db169c9912764
              • Instruction ID: fb091a2b36c8ac4147116eab204ac0f4bca8c05ca6faa76e8678884221091568
              • Opcode Fuzzy Hash: 424272cd51468b1328472ee48ebe239d1d63c7a27eddeeaa307db169c9912764
              • Instruction Fuzzy Hash: 14916AB1D00229DFDB50DFA8C840BEEBBB2FF48314F1485A9E858A7250DB749985CF91
              Function 027B44C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 762 27b44c4-27b59d9 CreateActCtxA 765 27b59db-27b59e1 762->765 766 27b59e2-27b5a3c 762->766 765->766 773 27b5a4b-27b5a4f 766->773 774 27b5a3e-27b5a41 766->774 775 27b5a51-27b5a5d 773->775 776 27b5a60 773->776 774->773 775->776 778 27b5a61 776->778 778->778
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 027B59C9
              Memory Dump Source
              • Source File: 00000000.00000002.1697970753.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_27b0000_RFQ STS3780082024.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 10730c25c7ec865af63fb2cba6cdb9d908a2ce91c13660bb572dc8063924403a
              • Instruction ID: 5ebe764b50c1c1df838fcc88b95e28ba0a1af414f4d00412d740ddf4921f1ee5
              • Opcode Fuzzy Hash: 10730c25c7ec865af63fb2cba6cdb9d908a2ce91c13660bb572dc8063924403a
              • Instruction Fuzzy Hash: CC41E0B0C00619CBDB24DFA9C884BDEBBB5BF49304F20806AD408BB251DB75A949CF90
              Function 027B590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 779 27b590c-27b59d9 CreateActCtxA 781 27b59db-27b59e1 779->781 782 27b59e2-27b5a3c 779->782 781->782 789 27b5a4b-27b5a4f 782->789 790 27b5a3e-27b5a41 782->790 791 27b5a51-27b5a5d 789->791 792 27b5a60 789->792 790->789 791->792 794 27b5a61 792->794 794->794
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 027B59C9
              Memory Dump Source
              • Source File: 00000000.00000002.1697970753.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_27b0000_RFQ STS3780082024.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: b6027eb19eed6f6285645ad8361e878901bba5abade86d928b871edcf497c34a
              • Instruction ID: e8058e39952720a43d5c619e72bb43723163d690479f09fccaa8c659b46aa710
              • Opcode Fuzzy Hash: b6027eb19eed6f6285645ad8361e878901bba5abade86d928b871edcf497c34a
              • Instruction Fuzzy Hash: 5D41D0B0C00719CFDB25DFA9C9847DDBBB5BF49304F24806AD408AB255DB75698ACF90
              Function 06F37BC9 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 795 6f37bc9-6f37c1e 798 6f37c20-6f37c2c 795->798 799 6f37c2e-6f37c6d WriteProcessMemory 795->799 798->799 801 6f37c76-6f37ca6 799->801 802 6f37c6f-6f37c75 799->802 802->801
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F37C60
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: 0baf3174f2f38552f46b87e6101e2c9dd247d45e34e8a15d61d700fb025ccd4c
              • Instruction ID: d98af0c5f5693a47d97bfb57ba8571b55e1fbf519a81558c15c70da0fd10ee26
              • Opcode Fuzzy Hash: 0baf3174f2f38552f46b87e6101e2c9dd247d45e34e8a15d61d700fb025ccd4c
              • Instruction Fuzzy Hash: 712135B59003599FCB10DFA9C885BDEBBF4FF48310F10842AE958A7240C7789944CBA4
              Function 06F37BD0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 806 6f37bd0-6f37c1e 808 6f37c20-6f37c2c 806->808 809 6f37c2e-6f37c6d WriteProcessMemory 806->809 808->809 811 6f37c76-6f37ca6 809->811 812 6f37c6f-6f37c75 809->812 812->811
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F37C60
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: 84feec8f615960b167d646a7708705782839654a0545222f24da86aded950456
              • Instruction ID: b048a6e64c6baecabecbf7bbb3c57272e6688e855385ab1784b5957620dbcd98
              • Opcode Fuzzy Hash: 84feec8f615960b167d646a7708705782839654a0545222f24da86aded950456
              • Instruction Fuzzy Hash: 6F2125B1D003599FCB10DFA9C885BDEBBF5FF48310F10882AE958A7250C7789944CBA4
              Function 06F375F9 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 816 6f375f9-6f3764b 819 6f3765b-6f3768b Wow64SetThreadContext 816->819 820 6f3764d-6f37659 816->820 822 6f37694-6f376c4 819->822 823 6f3768d-6f37693 819->823 820->819 823->822
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F3767E
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: 256953ae9ab020b81cb1d708904eb5d30a841a3f213f570d65637002458527cf
              • Instruction ID: 359483a47eae8abd62e9c0545621a70d2d0495183c6af8caf3cfc5d36d7cc1fd
              • Opcode Fuzzy Hash: 256953ae9ab020b81cb1d708904eb5d30a841a3f213f570d65637002458527cf
              • Instruction Fuzzy Hash: 16213CB1D003199FDB10DFA9C4857EEBBF4EF49324F148429D459A7240C7789545CFA5
              Function 027BD050 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,027BD74E,?,?,?,?,?), ref: 027BD80F
              Memory Dump Source
              • Source File: 00000000.00000002.1697970753.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_27b0000_RFQ STS3780082024.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 0c3997ee40efc129d21720ce96b769fa4e52302a1ff5658b0e9272050a53ac9b
              • Instruction ID: bbeda085ceafdd12338a706a8bfb652325dfc0390a150367a9cf5ded559789df
              • Opcode Fuzzy Hash: 0c3997ee40efc129d21720ce96b769fa4e52302a1ff5658b0e9272050a53ac9b
              • Instruction Fuzzy Hash: 9B21E3B59002089FDB10CF9AD984AEEBBF4EB48320F14846AE958A7310D375A944CFA4
              Function 06F37CBA Relevance: 1.6, APIs: 1, Instructions: 64COMMON
              Download Yara Rule
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F37D40
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: 4c8462b0d2f86f9d95b6b6358a1b9e78fa754d66074a48d4dc8d2eaa44b2c5bf
              • Instruction ID: 24f54b580e9217b5faa7356a99fe3fdcd60e12977f1c6d8d5eadb0ad7e06d523
              • Opcode Fuzzy Hash: 4c8462b0d2f86f9d95b6b6358a1b9e78fa754d66074a48d4dc8d2eaa44b2c5bf
              • Instruction Fuzzy Hash: 2D2116B1C002599FCB10DFAAC881BEEBBF5FF48320F10842AE959A7250D7389544CFA4
              Function 06F37600 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
              Download Yara Rule
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F3767E
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: e0a0ec77786f02ebf21c81846f29381ba2bef581a814646c336e15930830a755
              • Instruction ID: 22298e88e517c8ae68e5b8ed8c51dafc2cf4f31d4a5a32463764567f465c32fd
              • Opcode Fuzzy Hash: e0a0ec77786f02ebf21c81846f29381ba2bef581a814646c336e15930830a755
              • Instruction Fuzzy Hash: A92138B1D003198FDB10DFAAC4857EEBBF4EF49324F108429D459A7240C7789945CFA4
              Function 06F37CC0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F37D40
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: 487b2a910949fc657d297877afa81c093ebf63e8727cfecaa890c9a8329d2e31
              • Instruction ID: 1731e5ea313666518ace4fab7cbebc8ccd800ff159496033338a48748ed8eae5
              • Opcode Fuzzy Hash: 487b2a910949fc657d297877afa81c093ebf63e8727cfecaa890c9a8329d2e31
              • Instruction Fuzzy Hash: 6521E6B1D002599FDB10DFAAC885BEEBBF5FF48320F108429E559A7250C7749544CBA5
              Function 027BD780 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,027BD74E,?,?,?,?,?), ref: 027BD80F
              Memory Dump Source
              • Source File: 00000000.00000002.1697970753.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_27b0000_RFQ STS3780082024.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 0c1dee88c7159dff21fcdf7f00f23bee99293ec61347e04855ffa47350d6cd77
              • Instruction ID: ce55e7b1729584e19e28bf86f0c36dade15f8335074b680b88d73b73dac061f8
              • Opcode Fuzzy Hash: 0c1dee88c7159dff21fcdf7f00f23bee99293ec61347e04855ffa47350d6cd77
              • Instruction Fuzzy Hash: 2121EFB5D00208DFDB10CFA9D584ADEBBF5FB48320F24842AE958A3350D378A944CFA4
              Function 06F37B08 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F37B7E
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 8a86c5e8d8dde00c88c61920139bf587684f10b1ac424437fca3612f71545071
              • Instruction ID: 80b55a7ff46e0d5feedcfecf2735b6277db8bc6d2b6f96a3493931c6a5a38eca
              • Opcode Fuzzy Hash: 8a86c5e8d8dde00c88c61920139bf587684f10b1ac424437fca3612f71545071
              • Instruction Fuzzy Hash: D41164B28002499FCB10DFAAC844BDFBBF5EF88324F208819E519A7210C739A550CFA4
              Function 027BACC8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,027BB581,00000800,00000000,00000000), ref: 027BB792
              Memory Dump Source
              • Source File: 00000000.00000002.1697970753.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_27b0000_RFQ STS3780082024.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: ed6991eeb8de6e10c54b2fda4809733489a37d79167093ea98301e4bb478f0f4
              • Instruction ID: 427e0913ab7292aeef06255aa5d13a8ead32b9c543417b3d1c7b11e8756009d5
              • Opcode Fuzzy Hash: ed6991eeb8de6e10c54b2fda4809733489a37d79167093ea98301e4bb478f0f4
              • Instruction Fuzzy Hash: E41133B69002099FDB10CF9AC444BDEFBF4EF48314F10846AE819A7610C375A544CFA0
              Function 027BB722 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,027BB581,00000800,00000000,00000000), ref: 027BB792
              Memory Dump Source
              • Source File: 00000000.00000002.1697970753.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_27b0000_RFQ STS3780082024.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 0d5a3b2837b5c6f7596b3fe796af4d03c03b535b0bfb4559421d1bca685a41ef
              • Instruction ID: a696ceb82d199ebbaa753c013dee57a544c7d6a3d3b86133cc0c03d227b0794a
              • Opcode Fuzzy Hash: 0d5a3b2837b5c6f7596b3fe796af4d03c03b535b0bfb4559421d1bca685a41ef
              • Instruction Fuzzy Hash: 481114B69003499FDB10DFAAD484ADEFBF4EF48324F10842AD959A7610C375A545CFA4
              Function 06F37549 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: d85063ec1e96a71f8fd979a4311a334232d6b83539b212a4e50a2f14185767c5
              • Instruction ID: 8f69ac56d9250c2d8f0210eb3bfff44ff7f9b6aac1eced36558ab9bc6b591a39
              • Opcode Fuzzy Hash: d85063ec1e96a71f8fd979a4311a334232d6b83539b212a4e50a2f14185767c5
              • Instruction Fuzzy Hash: 781146B19002598FCB24DFAAC845BDFFBF4EF88324F208819D559A7250CB34A944CFA4
              Function 06F37B10 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F37B7E
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 61fceccf618304ffdd484e89200abcf41f7bb544d5e6a451a07ee69c85b241f9
              • Instruction ID: 0ab5c3bd2b2e73d1a4660d0db94ee1050460eb0724d7f47b68a5f7ac3ea1c6f7
              • Opcode Fuzzy Hash: 61fceccf618304ffdd484e89200abcf41f7bb544d5e6a451a07ee69c85b241f9
              • Instruction Fuzzy Hash: DB1123B29002499FDB10DFAAC844BDFBBF5EB88324F208819E559A7250C775A944CFA4
              Function 027BAC64 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,027BB2CC), ref: 027BB506
              Memory Dump Source
              • Source File: 00000000.00000002.1697970753.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_27b0000_RFQ STS3780082024.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 0f9a557b61ddf3a05904cbeadd146e6b44dfe744f83961cec1f3b04dbafacc2c
              • Instruction ID: caa39239c7e9a1956fbd4756d7783a728583ee3519b090967b38479429f2c006
              • Opcode Fuzzy Hash: 0f9a557b61ddf3a05904cbeadd146e6b44dfe744f83961cec1f3b04dbafacc2c
              • Instruction Fuzzy Hash: 2911FDB59002498FDB20DF9AD444BDEFBF4EF88328F10846AD859B7210D375A545CFA5
              Function 06F37550 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 36259208d4b820bca789b2eda84487933d5a84c2db957a7c50c30f6d6d8aa622
              • Instruction ID: 05f2994bc1395f782bf98c873bd89f663d5cec74e92aeb712a80e18514e9a399
              • Opcode Fuzzy Hash: 36259208d4b820bca789b2eda84487933d5a84c2db957a7c50c30f6d6d8aa622
              • Instruction Fuzzy Hash: 1B1136B1D003598FDB24DFAAC4457EEFBF4EB88324F208829D559A7250CB75A944CFA4
              Function 06F3B011 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,?), ref: 06F3B075
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID: MessagePost
              • String ID:
              • API String ID: 410705778-0
              • Opcode ID: 1f286215358b56397cd9e15f12447551303c2e26a163412910bc235776504fa2
              • Instruction ID: d6670983da3c77109ca24b5391b868ebc53b3940d423bd68d45280e97ed01dff
              • Opcode Fuzzy Hash: 1f286215358b56397cd9e15f12447551303c2e26a163412910bc235776504fa2
              • Instruction Fuzzy Hash: DC11F5B5800358DFDB10DF9AD985BDEBFF8EB48360F10841AE558A7610C375A584CFA1
              Function 06F389A8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,?), ref: 06F3B075
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID: MessagePost
              • String ID:
              • API String ID: 410705778-0
              • Opcode ID: 6c33024dbfa59f3eb61f04f8da6104ea2a27f454fa8bdb3e1bad94e93870a254
              • Instruction ID: f69038a714fb0b358822deb63011be47530ca8b4efcebfb125f3a53e4f8aea9a
              • Opcode Fuzzy Hash: 6c33024dbfa59f3eb61f04f8da6104ea2a27f454fa8bdb3e1bad94e93870a254
              • Instruction Fuzzy Hash: 9D1106B5800358DFDB50DF99C585BDEFBF8EB58324F108459E554A7210C375A944CFA1
              Function 00E5D3D8 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1697789853.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e5d000_RFQ STS3780082024.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cbc363115d4013f1757a777d87375deb12f4f1301e7b151477d3bd37e1536e8d
              • Instruction ID: 43e325022ab2ebbac15b7db03328d0da77368e01078743ba022eccf618b1e99f
              • Opcode Fuzzy Hash: cbc363115d4013f1757a777d87375deb12f4f1301e7b151477d3bd37e1536e8d
              • Instruction Fuzzy Hash: 51214871108204DFDB24DF04CDC0B26BF65FB94325F20C969DC095B256C336E85AC6A2
              Function 00E6D1D4 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1697814147.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e6d000_RFQ STS3780082024.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 76b7270c2865295f93e818ccc749ddaa7f956837fa05dc3352fee0952b56b7e5
              • Instruction ID: 5bfdc47742b2736063f525a0b655e35fcbd2c7305d4288c340a751d146dafa2a
              • Opcode Fuzzy Hash: 76b7270c2865295f93e818ccc749ddaa7f956837fa05dc3352fee0952b56b7e5
              • Instruction Fuzzy Hash: 8B214971A88200DFCB01DF14EDD0B26BBA5FB84318F64C56DD8095B262C336D846CA61
              Function 00E6D01C Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1697814147.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e6d000_RFQ STS3780082024.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 96fd713a5eea0aac2f39a3eeb98cf246c092ea45e24da9823335fbe2c15f9bdd
              • Instruction ID: 431fb8ccebf31b2c07b3896e77e4fd811c0374a687b25b4dffa1e2f680e1e4e2
              • Opcode Fuzzy Hash: 96fd713a5eea0aac2f39a3eeb98cf246c092ea45e24da9823335fbe2c15f9bdd
              • Instruction Fuzzy Hash: 0C213771A88200DFCB54DF14E9C4B26BF66FB84318F60C56DD8095B296C337D847CA61
              Function 00E6D005 Relevance: .1, Instructions: 62COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1697814147.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e6d000_RFQ STS3780082024.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3a3c4793dd24dc4361731ebafd5b28f64c2a249b87837170d8202ab916fe5719
              • Instruction ID: cfce3304ff4517aef70c5ba1848a1adb439aa4f0bd469f8f63a644f7e0cc145a
              • Opcode Fuzzy Hash: 3a3c4793dd24dc4361731ebafd5b28f64c2a249b87837170d8202ab916fe5719
              • Instruction Fuzzy Hash: F621537554D3808FD712CF24D994715BF72EB46318F28C5EAD8498F6A7C33A980ACB62
              Function 00E5D3D3 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1697789853.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e5d000_RFQ STS3780082024.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
              • Instruction ID: 63c6f2424861e7c9f8304842462c31bb85603cf4b2df3db7145ff4367eddb508
              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
              • Instruction Fuzzy Hash: 43110372404240CFDB16CF00D9C4B16BF72FB94328F24C6A9DC090B256C33AE85ACBA1
              Function 00E6D1CF Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1697814147.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e6d000_RFQ STS3780082024.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
              • Instruction ID: 54d237c1e63dddfc1b561b3f908ee02a3123a10f46a08d37c3be916f4317051d
              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
              • Instruction Fuzzy Hash: 9B11BE75A48240DFCB11CF50D9D4B15BF61FB84328F28C6A9D8494B266C33AD85ACB51
              Function 00E5D731 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1697789853.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e5d000_RFQ STS3780082024.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d19a45a2f04d2ea7a3c1fa2c45f02e09a6d0c6da2d4a32922b19d6a70f0a4208
              • Instruction ID: bc72a4bcc0475f9da99c1afe52348caa3aab0848fa68d256ef4643f75e8fc4af
              • Opcode Fuzzy Hash: d19a45a2f04d2ea7a3c1fa2c45f02e09a6d0c6da2d4a32922b19d6a70f0a4208
              • Instruction Fuzzy Hash: 3201F73100D3049AE7204A25CDC47A7BF98EF49326F18C82BED085A186C2389844C671
              Function 00E5D730 Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1697789853.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e5d000_RFQ STS3780082024.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8c04557fd0b33d84b0e8c7d4fe23c3da50dd578f23bd21433769f7ae4f9dc39f
              • Instruction ID: f05c817ef3292472828993cc543db8e21b6342770184deca3202ebb9706d9ece
              • Opcode Fuzzy Hash: 8c04557fd0b33d84b0e8c7d4fe23c3da50dd578f23bd21433769f7ae4f9dc39f
              • Instruction Fuzzy Hash: 79F0C2720083449AE7208A16CCC4B62FFA8EB95339F18C85AED081E286C2799844CA70

              Non-executed Functions

              Function 06F34DB8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID:
              • String ID: lVj
              • API String ID: 0-722747814
              • Opcode ID: 5e565d7d7db9d783179b9b1d88fd1c00947549df6ab909bfbd343852ddbabb66
              • Instruction ID: 21fc9bcab9f0517b3a4288f1d0fbe94e54281f04c9c526218404f45af09e4c8c
              • Opcode Fuzzy Hash: 5e565d7d7db9d783179b9b1d88fd1c00947549df6ab909bfbd343852ddbabb66
              • Instruction Fuzzy Hash: CCE1EA74E001698FCB54DFA9C9809AEFBF2FF89304F248169E414AB355D735A941CFA1
              Function 06F34D7C Relevance: 1.4, Strings: 1, Instructions: 161COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID:
              • String ID: lVj
              • API String ID: 0-722747814
              • Opcode ID: 55d0a13e32260497394dfc9e0a2229ad3615569721512f69e42ada3156f0a97d
              • Instruction ID: 8b378d6e575e28657a665ac1b7ef0f41318ed733dc6152529365999fef526c44
              • Opcode Fuzzy Hash: 55d0a13e32260497394dfc9e0a2229ad3615569721512f69e42ada3156f0a97d
              • Instruction Fuzzy Hash: E7513C74E052598FCB14CFA9C9805AEBBF2FF89304F24C1AAD418AB216D7359941CFA1
              Function 06F3C380 Relevance: .4, Instructions: 382COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8f6e12aaa925443acb2a4a7365b25c7edf8a01cd98adb8f29318dcf9ac763d98
              • Instruction ID: 7bb1ba9dc1dee039892024b2a59e1d22916d9cfd36f8c7f97b3839f567025459
              • Opcode Fuzzy Hash: 8f6e12aaa925443acb2a4a7365b25c7edf8a01cd98adb8f29318dcf9ac763d98
              • Instruction Fuzzy Hash: 63E1BE71B007208FDB96EB79C850BAEB7E6AF89300F14846DD556EB290DB35E902CB50
              Function 06F376D8 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7a33010a425dcf416a3bcfcc4d38680e05bb74f5a8a3c206f46c845782750505
              • Instruction ID: a484ab865062a9b7ddc6bf8fb307d4c995389be9c6d01f4767cedfd7d6c72f84
              • Opcode Fuzzy Hash: 7a33010a425dcf416a3bcfcc4d38680e05bb74f5a8a3c206f46c845782750505
              • Instruction Fuzzy Hash: 26E10BB4E001598FCB54DFA9C980AAEFBB2FF88304F24C159D414AB35AD730A941CFA5
              Function 06F35628 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7e9490b6dc3be575c3ab67a4d96cf51402a83b541c9cf88a537cff8c70ea5759
              • Instruction ID: 32bfb160cbeaba17ead0325675130efc322dcf7c718dcbad1d16a9573aa77272
              • Opcode Fuzzy Hash: 7e9490b6dc3be575c3ab67a4d96cf51402a83b541c9cf88a537cff8c70ea5759
              • Instruction Fuzzy Hash: 88E10974E011598FCB54DFA9C9809AEFBB2FF89314F24C169D414AB35AD730A941CFA1
              Function 06F36CD0 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6e7da58adc4ccaf10efbc44ec139e23fb5ffe83146cefe3cfca15e8f4db5088a
              • Instruction ID: 926ff5ff58bb372b98a322e116a96e142da94b92eb60f082ecefe757607683aa
              • Opcode Fuzzy Hash: 6e7da58adc4ccaf10efbc44ec139e23fb5ffe83146cefe3cfca15e8f4db5088a
              • Instruction Fuzzy Hash: B9E10AB4E002598FCB54DFA9C9809AEFBB2FF89304F24C169D414AB356D731A981CF65
              Function 06F351F0 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9253c0b8be164b506a551cdd9fcc8f71c83287d3c08f1f4de6149d9d1d336782
              • Instruction ID: 1001eaa518b54df939e9f0f76c6a469509f02911312859987d1b24f5d9925166
              • Opcode Fuzzy Hash: 9253c0b8be164b506a551cdd9fcc8f71c83287d3c08f1f4de6149d9d1d336782
              • Instruction Fuzzy Hash: F1E1F974E002598FCB54DFA9C9809AEFBB2FF89304F24C169E415AB356D730A941CFA1
              Function 027BE0E4 Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1697970753.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_27b0000_RFQ STS3780082024.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: be237459694a0f009649f309f8f18a2e8ac2272496eab38c02e5e68ca144705c
              • Instruction ID: f2142349fa2b390c2c8fdc37a065e3e7eeaf871bea6bc45cc6fa64297d1ceb37
              • Opcode Fuzzy Hash: be237459694a0f009649f309f8f18a2e8ac2272496eab38c02e5e68ca144705c
              • Instruction Fuzzy Hash: 64A15C32A002099FCF0ADFB4C8446EEB7B6FF84704B2545AAE805AB365DB75E915CB40
              Function 06F376C9 Relevance: .1, Instructions: 136COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9b8f350eea99289c0bef1a9057639b98ac5f8c385c33e225106d5112d9c96134
              • Instruction ID: 37f8260991da3da05251f1b7657849196b8149f44085f54e5a3b1ef70f3eb443
              • Opcode Fuzzy Hash: 9b8f350eea99289c0bef1a9057639b98ac5f8c385c33e225106d5112d9c96134
              • Instruction Fuzzy Hash: C4512AB1E042598FDB54DFA9C9809AEFBF2FF89304F24C16AD418A7216D7309941CFA5
              Function 06F351E0 Relevance: .1, Instructions: 133COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1701379995.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f30000_RFQ STS3780082024.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 235d563c04bbb8622e72f528f1a90ef80f3146bd07570e20d431e6b69ce07382
              • Instruction ID: a4ccdd48838b3f8ea93be947c02376453bdf667820b7ec53aadd280bc95820fb
              • Opcode Fuzzy Hash: 235d563c04bbb8622e72f528f1a90ef80f3146bd07570e20d431e6b69ce07382
              • Instruction Fuzzy Hash: 99512875E012298FDB54DFA9C9805AEFBF2FF89304F24C169D418AB216D7319A41CFA1

              Execution Graph

              Execution Coverage:0.7%
              Dynamic/Decrypted Code Coverage:5.6%
              Signature Coverage:9.3%
              Total number of Nodes:107
              Total number of Limit Nodes:10
              execution_graph 94524 42b5c3 94525 42b5dd 94524->94525 94528 1232df0 LdrInitializeThunk 94525->94528 94526 42b605 94528->94526 94529 424703 94530 42471c 94529->94530 94531 424767 94530->94531 94534 4247a7 94530->94534 94536 4247ac 94530->94536 94537 42e0b3 94531->94537 94535 42e0b3 RtlFreeHeap 94534->94535 94535->94536 94540 42c383 94537->94540 94539 424777 94541 42c39d 94540->94541 94542 42c3ae RtlFreeHeap 94541->94542 94542->94539 94543 42f3a3 94544 42f313 94543->94544 94545 42f370 94544->94545 94549 42e193 94544->94549 94547 42f34d 94548 42e0b3 RtlFreeHeap 94547->94548 94548->94545 94552 42c333 94549->94552 94551 42e1ae 94551->94547 94553 42c34d 94552->94553 94554 42c35e RtlAllocateHeap 94553->94554 94554->94551 94632 424373 94633 42438f 94632->94633 94634 4243b7 94633->94634 94635 4243cb 94633->94635 94636 42c003 NtClose 94634->94636 94637 42c003 NtClose 94635->94637 94638 4243c0 94636->94638 94639 4243d4 94637->94639 94642 42e1d3 RtlAllocateHeap 94639->94642 94641 4243df 94642->94641 94643 42f273 94644 42f283 94643->94644 94645 42f289 94643->94645 94646 42e193 RtlAllocateHeap 94645->94646 94647 42f2af 94646->94647 94555 417283 94556 4172a7 94555->94556 94557 4172e3 LdrLoadDll 94556->94557 94558 4172ae 94556->94558 94557->94558 94648 413753 94649 413773 94648->94649 94651 4137dc 94649->94651 94653 41aeb3 RtlFreeHeap LdrInitializeThunk 94649->94653 94652 4137d2 94653->94652 94654 413573 94657 42c2a3 94654->94657 94658 42c2bd 94657->94658 94661 1232c70 LdrInitializeThunk 94658->94661 94659 413595 94661->94659 94559 401a2e 94560 401a3d 94559->94560 94563 42f743 94560->94563 94566 42dc73 94563->94566 94567 42dc99 94566->94567 94576 407183 94567->94576 94569 42dcaf 94575 401a70 94569->94575 94579 41aba3 94569->94579 94571 42dcce 94572 42c3d3 ExitProcess 94571->94572 94573 42dce3 94571->94573 94572->94573 94590 42c3d3 94573->94590 94578 407190 94576->94578 94593 415f43 94576->94593 94578->94569 94580 41abcf 94579->94580 94618 41aa93 94580->94618 94583 41ac14 94585 41ac30 94583->94585 94588 42c003 NtClose 94583->94588 94584 41abfc 94586 41ac07 94584->94586 94624 42c003 94584->94624 94585->94571 94586->94571 94589 41ac26 94588->94589 94589->94571 94591 42c3f0 94590->94591 94592 42c401 ExitProcess 94591->94592 94592->94575 94594 415f60 94593->94594 94595 415f79 94594->94595 94597 415f97 94594->94597 94609 42adc3 NtClose LdrInitializeThunk 94594->94609 94595->94578 94602 42ca73 94597->94602 94599 415fce 94599->94595 94610 428983 NtClose LdrInitializeThunk 94599->94610 94601 41601c 94601->94578 94604 42ca8d 94602->94604 94603 42cabc 94603->94599 94604->94603 94611 42b613 94604->94611 94607 42e0b3 RtlFreeHeap 94608 42cb32 94607->94608 94608->94599 94609->94597 94610->94601 94612 42b630 94611->94612 94615 1232c0a 94612->94615 94613 42b65c 94613->94607 94616 1232c1f LdrInitializeThunk 94615->94616 94617 1232c11 94615->94617 94616->94613 94617->94613 94619 41aaad 94618->94619 94623 41ab89 94618->94623 94627 42b6b3 94619->94627 94622 42c003 NtClose 94622->94623 94623->94583 94623->94584 94625 42c01d 94624->94625 94626 42c02e NtClose 94625->94626 94626->94586 94628 42b6cd 94627->94628 94631 12335c0 LdrInitializeThunk 94628->94631 94629 41ab7d 94629->94622 94631->94629

              Executed Functions

              Function 00417283 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 24 417283-4172ac call 42edb3 27 4172b2-4172c0 call 42f3b3 24->27 28 4172ae-4172b1 24->28 31 4172d0-4172e1 call 42d743 27->31 32 4172c2-4172cd call 42f653 27->32 37 4172e3-4172f7 LdrLoadDll 31->37 38 4172fa-4172fd 31->38 32->31 37->38
              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004172F5
              Memory Dump Source
              • Source File: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_MSBuild.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: fe612aa3d1b5742517d37b12b3a612cca01b15546c8e7c8025a9886ca340d8ad
              • Instruction ID: b8e9ec97489930ceb070e3c8e335ec216fb0a7430ed99e7a48e9c59897d2eb09
              • Opcode Fuzzy Hash: fe612aa3d1b5742517d37b12b3a612cca01b15546c8e7c8025a9886ca340d8ad
              • Instruction Fuzzy Hash: 750152B5E0020DA7DB10DAE5DC42FDEB3B89B54308F0081AAF90897240F634EB498B95
              Function 0042C003 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 49 42c003-42c03c call 404593 call 42d253 NtClose
              APIs
              Memory Dump Source
              • Source File: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_MSBuild.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: 53f763a2d87228db95e5af0c3939b1860b050437a5eb3830eef20bcffe050933
              • Instruction ID: 7d7d02806afba75d350ac5760a8f26f5e734a2091cb1580d582ff9fe802a1f2d
              • Opcode Fuzzy Hash: 53f763a2d87228db95e5af0c3939b1860b050437a5eb3830eef20bcffe050933
              • Instruction Fuzzy Hash: 6BE086316002147BD610FA9ADC01F97775CDFC5714F04802AFB5CA7181C670B90187F4
              Function 01232DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 64 1232df0-1232dfc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 128b0c7a6f64a4e02466fbcd36774cf534fa0098784d98fe8964a6e78341bf84
              • Instruction ID: cb9f6f32c28c5decffa81b646185bf415d7f895867906f5f928bab211bb7c6cd
              • Opcode Fuzzy Hash: 128b0c7a6f64a4e02466fbcd36774cf534fa0098784d98fe8964a6e78341bf84
              • Instruction Fuzzy Hash: 9590023122141413D11571984504707000997D0241F95C412A1424558DD6968A52A221
              Function 01232C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 63 1232c70-1232c7c LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: c0d1c0a574bc2d42b696f91e1e9665140e324d86c924e66ad36221766dcfe826
              • Instruction ID: bdda93c59530ab5562c1ca56013958d123fca0fad9ede13ed2ff865e3ee18b4b
              • Opcode Fuzzy Hash: c0d1c0a574bc2d42b696f91e1e9665140e324d86c924e66ad36221766dcfe826
              • Instruction Fuzzy Hash: 8690023122149803D1147198840474A000597D0301F59C411A5424658DC6D589917221
              Function 012335C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 65 12335c0-12335cc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: c90b2595117c20ca8f71e1a003bf798e0b6bb5190871d6dba74725e85e310f16
              • Instruction ID: 9e040613e85079aaf4d3e97dcf033d572b17ff14060320a8b9027cee87474e49
              • Opcode Fuzzy Hash: c90b2595117c20ca8f71e1a003bf798e0b6bb5190871d6dba74725e85e310f16
              • Instruction Fuzzy Hash: 7090023162551403D10471984514706100597D0201F65C411A1424568DC7D58A5166A2
              Function 0042C333 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 39 42c333-42c374 call 404593 call 42d253 RtlAllocateHeap
              APIs
              • RtlAllocateHeap.NTDLL(?,0041E021,?,?,00000000,?,0041E021,?,?,?), ref: 0042C36F
              Memory Dump Source
              • Source File: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_MSBuild.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 7fe3a8c3556c84ae845fe426c7cde924dbfabda77256b0d23c8b72b37fdbb06f
              • Instruction ID: d3ca533b6fc011aa1b66efa48b51b08114f153336444eee9f1156083f868dd9b
              • Opcode Fuzzy Hash: 7fe3a8c3556c84ae845fe426c7cde924dbfabda77256b0d23c8b72b37fdbb06f
              • Instruction Fuzzy Hash: 04E06D71604314BBDA14EE99DC41EAB37ACEFC9710F00801AFA08A7241D671BD1087B8
              Function 0042C383 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 44 42c383-42c3c4 call 404593 call 42d253 RtlFreeHeap
              APIs
              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,4B4A49C8,00000007,00000000,00000004,00000000,00416AF6,000000F4), ref: 0042C3BF
              Memory Dump Source
              • Source File: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_MSBuild.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: c62be6cc92a3e58431fb62bc7859419cb4743e4f498431d4bdbd2b832dc52020
              • Instruction ID: 47b5de9a726cc6e951440e3c8902ba289efd0177dcce2e06346b249c6b07df7d
              • Opcode Fuzzy Hash: c62be6cc92a3e58431fb62bc7859419cb4743e4f498431d4bdbd2b832dc52020
              • Instruction Fuzzy Hash: F1E06D75604304BBDA14EE99DC41EAB33ADEFC8710F004459FA08A7241C670B911CBF4
              Function 0042C3D3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 54 42c3d3-42c40f call 404593 call 42d253 ExitProcess
              APIs
              Memory Dump Source
              • Source File: 00000005.00000002.1758340713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_MSBuild.jbxd
              Yara matches
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: 67262607e6efb244126f7288f1cf5530489ca23e64cd745992c46cb3281eb52f
              • Instruction ID: 8a1218f05d0afbc145bff7dc862a213452f6f35a3462fdf9e19d91cb963f78f4
              • Opcode Fuzzy Hash: 67262607e6efb244126f7288f1cf5530489ca23e64cd745992c46cb3281eb52f
              • Instruction Fuzzy Hash: E4E04F35600214BBD610AA9ADC01F97B75CDBC9714F00405AFA0867141C6B1BA10C7B4
              Function 01232C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 59 1232c0a-1232c0f 60 1232c11-1232c18 59->60 61 1232c1f-1232c26 LdrInitializeThunk 59->61
              APIs
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 66aba25ba81b6e762845827064cfdc1c440de2ad3fe7bb70d352b3388ce2e089
              • Instruction ID: 48ab99d5995e561340458342d874057259d3fe5857ea641865a614e9b0a3aee7
              • Opcode Fuzzy Hash: 66aba25ba81b6e762845827064cfdc1c440de2ad3fe7bb70d352b3388ce2e089
              • Instruction Fuzzy Hash: 72B09B719115D5C6DA15F7A44608717790077D0701F16C461D3030641F4778D1D1E375

              Non-executed Functions

              Function 01272349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2160512332
              • Opcode ID: b76a04fcf9f679210e57ccc3cd36f2bd2ac0414f04707fa33761acfdc0c8bb8a
              • Instruction ID: a4860d562740ebf6d2d4779d6b0f6905bebaf22771fc5da0451126da421ef94e
              • Opcode Fuzzy Hash: b76a04fcf9f679210e57ccc3cd36f2bd2ac0414f04707fa33761acfdc0c8bb8a
              • Instruction Fuzzy Hash: 5B928B71628342EFE725DF28C881B6BBBE8BB84754F04492DFA94D7251D770E844CB92
              Function 01228620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
              Download Yara Rule
              Strings
              • undeleted critical section in freed memory, xrefs: 0126542B
              • Critical section address, xrefs: 01265425, 012654BC, 01265534
              • Invalid debug info address of this critical section, xrefs: 012654B6
              • Thread is in a state in which it cannot own a critical section, xrefs: 01265543
              • Critical section address., xrefs: 01265502
              • double initialized or corrupted critical section, xrefs: 01265508
              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0126540A, 01265496, 01265519
              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 012654E2
              • Thread identifier, xrefs: 0126553A
              • Address of the debug info found in the active list., xrefs: 012654AE, 012654FA
              • corrupted critical section, xrefs: 012654C2
              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 012654CE
              • Critical section debug info address, xrefs: 0126541F, 0126552E
              • 8, xrefs: 012652E3
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
              • API String ID: 0-2368682639
              • Opcode ID: 9a1803488e34112ac8c908a97c807ce9bcb3c1234f7fbc90ec0a9644547d4ea3
              • Instruction ID: 5d816a118f855a33513715920acb87cdcee322dc99672c22de6a80e605616984
              • Opcode Fuzzy Hash: 9a1803488e34112ac8c908a97c807ce9bcb3c1234f7fbc90ec0a9644547d4ea3
              • Instruction Fuzzy Hash: F8818C70A50359EFDB24CF99C849BAEBBF9FB48B14F104119E608B7280D7B5A941CB50
              Function 012229F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
              Download Yara Rule
              Strings
              • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01262412
              • @, xrefs: 0126259B
              • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01262602
              • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01262498
              • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 012624C0
              • RtlpResolveAssemblyStorageMapEntry, xrefs: 0126261F
              • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01262624
              • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 012622E4
              • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01262409
              • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 012625EB
              • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01262506
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
              • API String ID: 0-4009184096
              • Opcode ID: a4e79a631d34c711dda12edfe61a0c0e77faa10ad8a273a14d5dd970982a0ef8
              • Instruction ID: 0e188a6a96678b833d81b721a2f6ec1b1e0b440724b3e395074393fc8810f4dc
              • Opcode Fuzzy Hash: a4e79a631d34c711dda12edfe61a0c0e77faa10ad8a273a14d5dd970982a0ef8
              • Instruction Fuzzy Hash: 0B027EB1D10229EBDB31DB54CC81BAEB7B8AB54304F4141DAE709A7281EB719EC4CF59
              Function 01298B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
              • API String ID: 0-2515994595
              • Opcode ID: a45cd3c7cc68aedd6f8d8c43c2e88baea7638466e437c23b08c1f0f15668b3aa
              • Instruction ID: 10cc16d0d8865800d5d736f29e08ca3680db26fbfab3640ef269de13fe4e710c
              • Opcode Fuzzy Hash: a45cd3c7cc68aedd6f8d8c43c2e88baea7638466e437c23b08c1f0f15668b3aa
              • Instruction Fuzzy Hash: 4651E4B112435A9BCB2DDF1C8844BABBBE8EF99754F18491DEA55C3280E770D504CBA2
              Function 012A0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
              • API String ID: 0-1700792311
              • Opcode ID: 5e4a1df981c69518d6cd153788d9d4df355c6b583f7a0c35cd20a407c4db13cf
              • Instruction ID: de317935c43127a800862e42d5e0e7966bad17052184834d8496e0f23822ace9
              • Opcode Fuzzy Hash: 5e4a1df981c69518d6cd153788d9d4df355c6b583f7a0c35cd20a407c4db13cf
              • Instruction Fuzzy Hash: 35D14531620686DFDB2ADFA8D445AADBBF2FF19B04F48804DF5459B252C734E940CB58
              Function 012789B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
              Download Yara Rule
              Strings
              • VerifierDlls, xrefs: 01278CBD
              • AVRF: -*- final list of providers -*- , xrefs: 01278B8F
              • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01278A67
              • VerifierFlags, xrefs: 01278C50
              • VerifierDebug, xrefs: 01278CA5
              • HandleTraces, xrefs: 01278C8F
              • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01278A3D
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
              • API String ID: 0-3223716464
              • Opcode ID: 3fca8337816d01e68148c51b8a144d58211323e3afca27a2cb0090b7b9502f97
              • Instruction ID: f4c5a0e55d387905991f077cff2b39286a3de05e45ddec5ed3ca2a6449a705e6
              • Opcode Fuzzy Hash: 3fca8337816d01e68148c51b8a144d58211323e3afca27a2cb0090b7b9502f97
              • Instruction Fuzzy Hash: B19144B2671312EFD725EF68D889B2B7BE4AB54B28F44051CFA40AF241D7709C00CB95
              Function 011FEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
              • API String ID: 0-1109411897
              • Opcode ID: 93a5fef9cfe1b1eb72902f692b8384c04aea0eec5b1c5a0831540ca14d31cc3f
              • Instruction ID: a9fb272e7b7be3c66befcca30f484c124e8a63c581bbf9a2c93d773f86c5408d
              • Opcode Fuzzy Hash: 93a5fef9cfe1b1eb72902f692b8384c04aea0eec5b1c5a0831540ca14d31cc3f
              • Instruction Fuzzy Hash: 51A26B71A1566A8FDB68DF18CC887ADBBB1AF45304F1542D9DA0DA7291EB709EC1CF00
              Function 012263FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
              • API String ID: 0-792281065
              • Opcode ID: e92ad3bd931bceeb296275fec45b4e0910771fe3b242c23cac8f5a69a223574b
              • Instruction ID: 19be37d21625cee5160e91d6cf3be386131272ffc7e15d20cce4769523458659
              • Opcode Fuzzy Hash: e92ad3bd931bceeb296275fec45b4e0910771fe3b242c23cac8f5a69a223574b
              • Instruction Fuzzy Hash: 0E913971B30366EBEB39EF58E849BAE7BE5FB50B14F100119EA406B2C1D7B05881C790
              Function 011E645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
              Download Yara Rule
              Strings
              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01249A01
              • apphelp.dll, xrefs: 011E6496
              • LdrpInitShimEngine, xrefs: 012499F4, 01249A07, 01249A30
              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 012499ED
              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01249A2A
              • minkernel\ntdll\ldrinit.c, xrefs: 01249A11, 01249A3A
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-204845295
              • Opcode ID: 3a532645af3586f40ec6b870ae77a59e004ddede641fabde618dc6b7db0c281a
              • Instruction ID: dd2144d272888e468de07e9f5f80e1387df0005d74fc82bbf975d712f0708dbb
              • Opcode Fuzzy Hash: 3a532645af3586f40ec6b870ae77a59e004ddede641fabde618dc6b7db0c281a
              • Instruction Fuzzy Hash: E65110712683019FEB28DF24D849BAB77E8FF98648F40091DF5959B290D730E980CB93
              Function 01222674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
              Download Yara Rule
              Strings
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 012621BF
              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01262180
              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01262178
              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0126219F
              • SXS: %s() passed the empty activation context, xrefs: 01262165
              • RtlGetAssemblyStorageRoot, xrefs: 01262160, 0126219A, 012621BA
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
              • API String ID: 0-861424205
              • Opcode ID: 355709b30da8d3e3ec9ca872d8b1a75a048b40744ca86d3a903438447df6cbe3
              • Instruction ID: adb639115ebc6dcad767eabd2021a7408c0bf0930d6e18b8ad0718375d44aaf9
              • Opcode Fuzzy Hash: 355709b30da8d3e3ec9ca872d8b1a75a048b40744ca86d3a903438447df6cbe3
              • Instruction Fuzzy Hash: C331E736F64236FBE7258A998C42F6F7A6CDB64A54F054099FB047B181D3B09A40C7A1
              Function 0122C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
              Download Yara Rule
              Strings
              • LdrpInitializeImportRedirection, xrefs: 01268177, 012681EB
              • minkernel\ntdll\ldrredirect.c, xrefs: 01268181, 012681F5
              • LdrpInitializeProcess, xrefs: 0122C6C4
              • Unable to build import redirection Table, Status = 0x%x, xrefs: 012681E5
              • minkernel\ntdll\ldrinit.c, xrefs: 0122C6C3
              • Loading import redirection DLL: '%wZ', xrefs: 01268170
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-475462383
              • Opcode ID: 7e2181c40044c1b1b96643fa4fe7ced83f6623fdccb1160c39a6ef091ce3356d
              • Instruction ID: ab06455f3e34f52cd5a8aaed8a118752abca77082a8d3818f7f9367c7294b772
              • Opcode Fuzzy Hash: 7e2181c40044c1b1b96643fa4fe7ced83f6623fdccb1160c39a6ef091ce3356d
              • Instruction Fuzzy Hash: 6A3102B1664346AFD224EF29D946E2F77D4AFE4B10F000558FA806B291D660EC04C7A2
              Function 0123096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 01232DF0: LdrInitializeThunk.NTDLL ref: 01232DFA
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01230BA3
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01230BB6
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01230D60
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01230D74
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
              • String ID:
              • API String ID: 1404860816-0
              • Opcode ID: dad2e4e73601070e74f46bc52e3e3fd3d688cffa677c858a00cebff636329ac4
              • Instruction ID: 724917cc79d88c9a01f90ebbc4fe73a1dd840c25333eca188daa973814161e6e
              • Opcode Fuzzy Hash: dad2e4e73601070e74f46bc52e3e3fd3d688cffa677c858a00cebff636329ac4
              • Instruction Fuzzy Hash: D7425EB1910716DFDB21CF28C841BAAB7F5FF44314F1445AAE989DB241EB70AA85CF60
              Function 011FA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
              • API String ID: 0-379654539
              • Opcode ID: c16d5f0aa2f3d014860dd3b853caaf9ba2779d7bd5b4e3d02b1632bcf50725b5
              • Instruction ID: bcccccc1462ff53ddba81308d2e00cedf03900765fbc2c72f74c79bcae6a3360
              • Opcode Fuzzy Hash: c16d5f0aa2f3d014860dd3b853caaf9ba2779d7bd5b4e3d02b1632bcf50725b5
              • Instruction Fuzzy Hash: 0CC1AC70118382CFD719CF58D084B6AB7E4BF84704F05896EFA998B291E738D949CB53
              Function 01228402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
              Download Yara Rule
              Strings
              • LdrpInitializeProcess, xrefs: 01228422
              • minkernel\ntdll\ldrinit.c, xrefs: 01228421
              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0122855E
              • @, xrefs: 01228591
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1918872054
              • Opcode ID: 156393ad7e0cbbe564f2c0f1b42498ec04e4665258b922281396303d737ef998
              • Instruction ID: 8b25124542a64a301adda3ddc77d82d79ba248fc2a65eab838b7e2bdff99d89c
              • Opcode Fuzzy Hash: 156393ad7e0cbbe564f2c0f1b42498ec04e4665258b922281396303d737ef998
              • Instruction Fuzzy Hash: 129199B1568356EFD722DE25C841FAFBAECFB94684F40092EFA8492151E334D944CB62
              Function 0122273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
              Download Yara Rule
              Strings
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 012622B6
              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 012621D9, 012622B1
              • SXS: %s() passed the empty activation context, xrefs: 012621DE
              • .Local, xrefs: 012228D8
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
              • API String ID: 0-1239276146
              • Opcode ID: b0aa752b9d4eaa34f7fa03430157cccb9e8258247917fb94c03e4af6fb6d01a2
              • Instruction ID: 10170d33fd549dcc73150d273a2f6c48981f41a50e730d0fc11be517e8a0aafc
              • Opcode Fuzzy Hash: b0aa752b9d4eaa34f7fa03430157cccb9e8258247917fb94c03e4af6fb6d01a2
              • Instruction Fuzzy Hash: E5A1B731A2022ADFDB25CF58CC84BA9B7B5BF58354F2541E9DA08A7291D7719EC0CF90
              Function 011F64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
              Download Yara Rule
              Strings
              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 012510AE
              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01250FE5
              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0125106B
              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01251028
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
              • API String ID: 0-1468400865
              • Opcode ID: 372be208e6fa421724498ca5adc7b8c2349d9d06fbeba404a072428bf04e9257
              • Instruction ID: 5239f8cc291ec6c9617087e5c34ef25095d7775d7cc1d3779c9d270fef7ba70b
              • Opcode Fuzzy Hash: 372be208e6fa421724498ca5adc7b8c2349d9d06fbeba404a072428bf04e9257
              • Instruction Fuzzy Hash: 9671E1B19143059FCB25DF54C888BAB7FA8AF957A4F00046CFE489B256D734D588CBD2
              Function 0121245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
              Download Yara Rule
              Strings
              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0125A992
              • apphelp.dll, xrefs: 01212462
              • LdrpDynamicShimModule, xrefs: 0125A998
              • minkernel\ntdll\ldrinit.c, xrefs: 0125A9A2
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-176724104
              • Opcode ID: f90adf1756b3389c616fbf9577692cfd228788d6d85605975fdc39376326f17f
              • Instruction ID: 4e74718a79f3d30956b22846406f9c0b17e5ceb1cac1cf803b02019b3a61ca72
              • Opcode Fuzzy Hash: f90adf1756b3389c616fbf9577692cfd228788d6d85605975fdc39376326f17f
              • Instruction Fuzzy Hash: 7F312A75660202EBDB35DF5DA88AABA7BF4FB94714F160159FE006B249D7B05C81CB80
              Function 012029A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
              Download Yara Rule
              Strings
              • HEAP[%wZ]: , xrefs: 01203255
              • HEAP: , xrefs: 01203264
              • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0120327D
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
              • API String ID: 0-617086771
              • Opcode ID: e7b406ea7367da4f8e865d2ed4dcb78a4a111ec9fcd612be8fe880ee7261b14e
              • Instruction ID: 2da4896d410cd7582d0c6fcefa75eaf11188187b1506595ebb6901395870e32f
              • Opcode Fuzzy Hash: e7b406ea7367da4f8e865d2ed4dcb78a4a111ec9fcd612be8fe880ee7261b14e
              • Instruction Fuzzy Hash: F192DE70A2464ADFDB26CF68C4447ADBBF1FF08304F18825AE949AB392D775A941CF50
              Function 01200770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-4253913091
              • Opcode ID: 4f5dae4aecf972f47cab9b7b42f940fe946b107893070ee2fca420ef689af0b6
              • Instruction ID: dfa95481bbf0e4372237ba964a46c88c429677af1f4bc6b84d10745916ed610c
              • Opcode Fuzzy Hash: 4f5dae4aecf972f47cab9b7b42f940fe946b107893070ee2fca420ef689af0b6
              • Instruction Fuzzy Hash: 37F1C030620606DFEB16CF68C884B7ABBF5FF44744F148268E9169B392D774E981CB94
              Function 01216962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: $@
              • API String ID: 0-1077428164
              • Opcode ID: ad4201c72f134e5836e9015d7ca01101d0c9713a0f350a8567ca0961f6b9968d
              • Instruction ID: 4e38d6acaaa2e89b03574f63b707494735811896dc27160c97dcbe209263b066
              • Opcode Fuzzy Hash: ad4201c72f134e5836e9015d7ca01101d0c9713a0f350a8567ca0961f6b9968d
              • Instruction Fuzzy Hash: 59C2A0716283429FD725CF28C881BABBBE5AFD8714F04892DFA89C7245E774D805CB52
              Function 011EA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: FilterFullPath$UseFilter$\??\
              • API String ID: 0-2779062949
              • Opcode ID: 3e0f46f1d50cbf7f76cd73fc93b6189a299fdea5d4afeae93f9322f79f6ba4c0
              • Instruction ID: 3056f90c7ec6504af60688143636ca6755a1e9fd7d9c2eb2915cc3a29c5b2916
              • Opcode Fuzzy Hash: 3e0f46f1d50cbf7f76cd73fc93b6189a299fdea5d4afeae93f9322f79f6ba4c0
              • Instruction Fuzzy Hash: EEA1717192162A9BDB35DF68DC88BE9B7B8FF44710F1001E9EA08A7250D7759E84CF50
              Function 01210BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
              Download Yara Rule
              Strings
              • Failed to allocated memory for shimmed module list, xrefs: 0125A10F
              • minkernel\ntdll\ldrinit.c, xrefs: 0125A121
              • LdrpCheckModule, xrefs: 0125A117
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
              • API String ID: 0-161242083
              • Opcode ID: 73b636d67d4d2d21348f7dfae38b3ae93ae91fca9d01f448b8ba52332331871c
              • Instruction ID: 53059a3aad1812e2d58cf2196c951ff24791818e727994a4322ace0fd01cfcb4
              • Opcode Fuzzy Hash: 73b636d67d4d2d21348f7dfae38b3ae93ae91fca9d01f448b8ba52332331871c
              • Instruction Fuzzy Hash: 34710070A2020ADFDB29DF68C985BBEB7F4FB54204F14402DEA02EB255E774AD81CB44
              Function 01200A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-1334570610
              • Opcode ID: 39251ec5414862c3a259c97b2570153ccff35f8acb43ee6dd42ec09dfe5cd7f1
              • Instruction ID: 905d1b23433a3f9552ec520aa09fd55665926febb0a235773e88ef586277ccdc
              • Opcode Fuzzy Hash: 39251ec5414862c3a259c97b2570153ccff35f8acb43ee6dd42ec09dfe5cd7f1
              • Instruction Fuzzy Hash: 1C61D370620702EFE72ACF28C485B6ABBE1FF45744F148659E9498F293D770E881CB54
              Function 0122C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
              Download Yara Rule
              Strings
              • LdrpInitializePerUserWindowsDirectory, xrefs: 012682DE
              • minkernel\ntdll\ldrinit.c, xrefs: 012682E8
              • Failed to reallocate the system dirs string !, xrefs: 012682D7
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1783798831
              • Opcode ID: e2aa54901c1a64ba2a123ce973aede9ff023d3d05c3628991a0499eaf1ef9970
              • Instruction ID: bbccd184afd8c638c324d655150f99a5a90a201d606eec273f73cbd30db1790e
              • Opcode Fuzzy Hash: e2aa54901c1a64ba2a123ce973aede9ff023d3d05c3628991a0499eaf1ef9970
              • Instruction Fuzzy Hash: 124113B1574312ABDB35EB68E848B6F77ECAF54750F00092AFA48DB290E774D810CB91
              Function 012AC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
              Download Yara Rule
              Strings
              • PreferredUILanguages, xrefs: 012AC212
              • @, xrefs: 012AC1F1
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 012AC1C5
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
              • API String ID: 0-2968386058
              • Opcode ID: 7b37775775ef3eff0151e7746f3ff80937dbb1f3f17f4fdf45f91a0cd4b6d983
              • Instruction ID: 56990f7a589d8ce24ca3194dfb0137a404c1941916132ec6f59227fd801383eb
              • Opcode Fuzzy Hash: 7b37775775ef3eff0151e7746f3ff80937dbb1f3f17f4fdf45f91a0cd4b6d983
              • Instruction Fuzzy Hash: A9418371E2020AEBDF15DBE8C841FEEBBB8AB54704F40416AE709F7280D7749A44CB50
              Function 01284144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
              • API String ID: 0-1373925480
              • Opcode ID: a2b6f15690173d49635a5539df7665c151b1f29251233f4f6594a5ee85cc764e
              • Instruction ID: f2e2812c7ed57b73531b6aec12d455e567dd0e4cfcb6afe990e68cea1a40c1c1
              • Opcode Fuzzy Hash: a2b6f15690173d49635a5539df7665c151b1f29251233f4f6594a5ee85cc764e
              • Instruction Fuzzy Hash: C6411631A2568ACFEB26FBA8C840BADBBB4FF65340F14055ADA01EB7C5D7749901CB11
              Function 01274755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrredirect.c, xrefs: 01274899
              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01274888
              • LdrpCheckRedirection, xrefs: 0127488F
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-3154609507
              • Opcode ID: 6d0ded32a7b19c7b3d8a479db8533dd179586acb3468d09e5ce8c4915ac4e2b7
              • Instruction ID: 7f99f90777f9fd6a72bdfec142558630c9333a25167684b882fa089d4fc14a93
              • Opcode Fuzzy Hash: 6d0ded32a7b19c7b3d8a479db8533dd179586acb3468d09e5ce8c4915ac4e2b7
              • Instruction Fuzzy Hash: F541DF32A242968BCB25EE6DD840A27BBE4EF89A50F05056DEE589B251D370D800CB81
              Function 01200BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-2558761708
              • Opcode ID: 11a7cf38ee5b4e8087bee5e6114159e9a6b45b89a83a3321aeb15b46af495860
              • Instruction ID: dee3b5ee860c6dbe730c0f551473d4ce153d2ac7b6279065a9cb93c0c804fe76
              • Opcode Fuzzy Hash: 11a7cf38ee5b4e8087bee5e6114159e9a6b45b89a83a3321aeb15b46af495860
              • Instruction Fuzzy Hash: 0511D231334942DFEB5ADE18C485B7ABBE5EF50A59F148219F806CB292E730E841C759
              Function 012720DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 01272104
              • Process initialization failed with status 0x%08lx, xrefs: 012720F3
              • LdrpInitializationFailure, xrefs: 012720FA
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2986994758
              • Opcode ID: ec2745099a532dc89fedb9c8fa083994bca1c6c8dce2d3c67fa5976349dffbc3
              • Instruction ID: 668245309bdb02942a473aa6d324face2a3180ffd0f74eaf42762253ec6b5fe1
              • Opcode Fuzzy Hash: ec2745099a532dc89fedb9c8fa083994bca1c6c8dce2d3c67fa5976349dffbc3
              • Instruction Fuzzy Hash: BAF0C275690319BBE728EA4DEC57FEA37A8FB41B54F100059F7407B286D2B0A940C691
              Function 012003E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: #%u
              • API String ID: 48624451-232158463
              • Opcode ID: d820ea29393248d6886a34c0e1a42cc8c6c7b02d89f28d0ca7003d5ed348f1a0
              • Instruction ID: 80cab99b91bfc00155a2133d36e3e31e80ff0715941fac5e481bb077ebdf050e
              • Opcode Fuzzy Hash: d820ea29393248d6886a34c0e1a42cc8c6c7b02d89f28d0ca7003d5ed348f1a0
              • Instruction Fuzzy Hash: BC716C71A2014A9FDB06DFA8C980BAEB7F8FF58344F150165EA04E7291EA34ED41CB64
              Function 011FA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
              Download Yara Rule
              Strings
              • LdrResSearchResource Enter, xrefs: 011FAA13
              • LdrResSearchResource Exit, xrefs: 011FAA25
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
              • API String ID: 0-4066393604
              • Opcode ID: 6019c189a2bc9b60bb4b2438c10a07dd32fb52e141f40db0f1d326d87a69030c
              • Instruction ID: eb3989c3c7ead44a115424b033a4fa28973fcbfb9fdb1e066c39db74832bdb09
              • Opcode Fuzzy Hash: 6019c189a2bc9b60bb4b2438c10a07dd32fb52e141f40db0f1d326d87a69030c
              • Instruction Fuzzy Hash: 34E1A271A14209DFEB2ACF99E980BAEBBB9BF04350F104429EF05E7291D778D944CB51
              Function 012BA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: `$`
              • API String ID: 0-197956300
              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction ID: 7f6006753f74af373841f085caa4d81d1d319267d0c5ec8d8009a69821daf8cd
              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction Fuzzy Hash: 12C1D0712243429FEB25CF28C881BABBBE5EFC4394F084A2DF6968B291D774D545CB41
              Function 0126E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Legacy$UEFI
              • API String ID: 2994545307-634100481
              • Opcode ID: 40bfe6870e2df524b67b8e58cda593d77568c03586aa9961b5329b99303bbbb0
              • Instruction ID: d2026c494407ebb3aef448b73a6fa31fbec5c2d5bc398a07c88edb006c96b063
              • Opcode Fuzzy Hash: 40bfe6870e2df524b67b8e58cda593d77568c03586aa9961b5329b99303bbbb0
              • Instruction Fuzzy Hash: D1617DB5E203199FDB19DFA8C840BAEBBB9FF54700F25402DE649EB291D731A940CB50
              Function 012943D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: @$MUI
              • API String ID: 0-17815947
              • Opcode ID: b2b574209302fc3ef3d75fd770a53fb5f16ec1d7b23cf8ec559621831c2d56c8
              • Instruction ID: 1c9abb73fc65f3dfcec9a464b690c6968a07da2254a0e6c7a1fea2146c59276a
              • Opcode Fuzzy Hash: b2b574209302fc3ef3d75fd770a53fb5f16ec1d7b23cf8ec559621831c2d56c8
              • Instruction Fuzzy Hash: B85148B1E1065EAFDF11EFE9CD80AEEBBB9EB54754F100529E611B7280D7309906CB60
              Function 011F04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
              Download Yara Rule
              Strings
              • kLsE, xrefs: 011F0540
              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 011F063D
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
              • API String ID: 0-2547482624
              • Opcode ID: 569629b62398f9e4392374bb8c23e4e770df6439da3185ae7d69a97889d80970
              • Instruction ID: f22d7d4665ea9b4f9a92ef6b117bc505db96fc194437e058fcebb84819b0b5f1
              • Opcode Fuzzy Hash: 569629b62398f9e4392374bb8c23e4e770df6439da3185ae7d69a97889d80970
              • Instruction Fuzzy Hash: DA51CFB15047428FD728DF68C4446A3BBE6AF88314F14483EF6EA87252E770E545CF92
              Function 011FA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
              Download Yara Rule
              Strings
              • RtlpResUltimateFallbackInfo Exit, xrefs: 011FA309
              • RtlpResUltimateFallbackInfo Enter, xrefs: 011FA2FB
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
              • API String ID: 0-2876891731
              • Opcode ID: 11e51e47c59a10c7c80b6351c54b62166bde017fe9969430d905fc110042dc52
              • Instruction ID: d273a87f6c03bc1be4d2739552bf1a3b056f88949a11c355525bdd54d5ce757b
              • Opcode Fuzzy Hash: 11e51e47c59a10c7c80b6351c54b62166bde017fe9969430d905fc110042dc52
              • Instruction Fuzzy Hash: CE41D034A18646CBDB19DF59D880B6ABBB4FF84700F244069EE04DB291E7B9D900CB41
              Function 0122A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Cleanup Group$Threadpool!
              • API String ID: 2994545307-4008356553
              • Opcode ID: 2505521109d0e5e406f68cca1b75a1636d61395b77f7d18fc016969767e07250
              • Instruction ID: c65b01a74d35f6a206db14bdb124c577f83e29701dd056c60e2ee7e7c75aee7d
              • Opcode Fuzzy Hash: 2505521109d0e5e406f68cca1b75a1636d61395b77f7d18fc016969767e07250
              • Instruction Fuzzy Hash: AE01D1B2260704AFD721DF14DD49B2A77E8E7A4B15F008979E648CB994E774E804CB46
              Function 011FC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: MUI
              • API String ID: 0-1339004836
              • Opcode ID: 76ee9e9ba9d480f913ada79f3d8bc0f08eaa3a8e0d64760483740784fadd1b9a
              • Instruction ID: 0ce3262ffa9f27f83a29b2a7811dcf808c18b387b9e5c7015033773f66ffff72
              • Opcode Fuzzy Hash: 76ee9e9ba9d480f913ada79f3d8bc0f08eaa3a8e0d64760483740784fadd1b9a
              • Instruction Fuzzy Hash: 15825A75E0021D8BEF29CFA9D880BEDBBB1FF48350F14816DDA19AB291D7309941DB91
              Function 01276420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: a6bf0e5270367e4997aa55abe938e162b7e023e6a72e7551ddfdae1287c830b2
              • Instruction ID: 4c08327590b510f50a088182d879b3371539e631b17c7f6ffa68d8cbf881a379
              • Opcode Fuzzy Hash: a6bf0e5270367e4997aa55abe938e162b7e023e6a72e7551ddfdae1287c830b2
              • Instruction Fuzzy Hash: 88917F71A5061AAFEB21DB95CC85FAFBBB8EF18B50F100165F700AB191D775AD04CBA0
              Function 0129E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: 97dd45d2cda8b3c115fa74a85191cd462fc2179e9842488c76e67d7cd1ee5d36
              • Instruction ID: 36436f2030637602ddc2995da1f3046b2393e62a7f0d3c5c08118f7837b28eb4
              • Opcode Fuzzy Hash: 97dd45d2cda8b3c115fa74a85191cd462fc2179e9842488c76e67d7cd1ee5d36
              • Instruction Fuzzy Hash: 5691B07292164ABEDF26EBA8DC44FBFBBB9EF95740F110025F600A7250EB749901CB50
              Function 0122A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: GlobalTags
              • API String ID: 0-1106856819
              • Opcode ID: cd2139ec52e23f5a12206b4b296d69a121052447dcffb3b28f368021679c8832
              • Instruction ID: d3a743b472706b07e961f55b2660938eea53df8dc3aa1b0b04f6f25a26b22a10
              • Opcode Fuzzy Hash: cd2139ec52e23f5a12206b4b296d69a121052447dcffb3b28f368021679c8832
              • Instruction Fuzzy Hash: 5F719DB5E2021BDFDF29CFACD4906ADBBB5FF58700F14812AE605A7281E7759881CB50
              Function 01294978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: .mui
              • API String ID: 0-1199573805
              • Opcode ID: aaf0d4e04d1b979a2aa73c2a8871c010b4762997b28eb6cf639355ebe6efd08b
              • Instruction ID: b25a5fc99d02b0884b42265e66845958341466ec06e8af9f9e5969f9698ea5aa
              • Opcode Fuzzy Hash: aaf0d4e04d1b979a2aa73c2a8871c010b4762997b28eb6cf639355ebe6efd08b
              • Instruction Fuzzy Hash: 7451C972D2026A9BDF14EF9DD950AAEBBB4BF19704F054129EA11B7350D3785C02CBE4
              Function 0120E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: EXT-
              • API String ID: 0-1948896318
              • Opcode ID: f409a5ebab4cedc35cbe6c3848dae2b9b2ffa9184b794f129aa6692776409445
              • Instruction ID: 714ec01bf6dd56aaeb93798d1f0ffc5e67f68eb6dc7d971314fde6d8169529a2
              • Opcode Fuzzy Hash: f409a5ebab4cedc35cbe6c3848dae2b9b2ffa9184b794f129aa6692776409445
              • Instruction Fuzzy Hash: FB41F272528302ABD726DA75C840B6BB7E8AF98704F050E2DFA84D71D2E774D984C792
              Function 0126C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: BinaryHash
              • API String ID: 0-2202222882
              • Opcode ID: 2cc548206fbcc6abf0b82db058dc26b14f2465a0e7638af4da3f83dc1ae30235
              • Instruction ID: aad692f32d02aafc5123f09c515ff0a4b4b8f57768acf0c953e2475417bce39e
              • Opcode Fuzzy Hash: 2cc548206fbcc6abf0b82db058dc26b14f2465a0e7638af4da3f83dc1ae30235
              • Instruction Fuzzy Hash: DF4154F1D1052DABDB21EA50CC84FEEB77CAB45714F0045A5EB48AB180DB709E998FA4
              Function 01286B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: #
              • API String ID: 0-1885708031
              • Opcode ID: 2668b10c2ff1594a839892a96859be58bad1812c7d63fbc6a24dc1a7fb03db43
              • Instruction ID: 687767b97bfb63ca970fd9f48556ec0d13f00e98c42f1e6c6a087475a401abf7
              • Opcode Fuzzy Hash: 2668b10c2ff1594a839892a96859be58bad1812c7d63fbc6a24dc1a7fb03db43
              • Instruction Fuzzy Hash: 6D314131A2175A9BDB32EF69C858BEE7BB8DF44704F144068EA40AB2C2D775DC05CB50
              Function 0126CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: BinaryName
              • API String ID: 0-215506332
              • Opcode ID: 3d07f8ea565ae9cb9a2dc16ca9dec947fb33951d7ab8557ae7e747291a3e59c2
              • Instruction ID: 67c699cef7172002b398e266f5dca82baffce69e45423190191fe463db8702a8
              • Opcode Fuzzy Hash: 3d07f8ea565ae9cb9a2dc16ca9dec947fb33951d7ab8557ae7e747291a3e59c2
              • Instruction Fuzzy Hash: 66312776910516AFEB16EF58C845E7FBB78EF80720F018129EA45A72D0E7309E50DBE0
              Function 0127892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
              Download Yara Rule
              Strings
              • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0127895E
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
              • API String ID: 0-702105204
              • Opcode ID: 3fbf50b39ef3eda231ab5b62b3a726210637fd44ef1a7f841d4db07d527c9462
              • Instruction ID: 3cb420a0be1e9a95546398f04112832a097d13f6e09c43dd50c0750aacb32370
              • Opcode Fuzzy Hash: 3fbf50b39ef3eda231ab5b62b3a726210637fd44ef1a7f841d4db07d527c9462
              • Instruction Fuzzy Hash: 0A01F736230203EBEA246B55988CA677BA5EF85268B04001DF7410A651CB70AC81C797
              Function 01292000 Relevance: .8, Instructions: 757COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bbed661b37246fa1d144d285aa2c1dfaf088072fdd08930e2eb89f3747eb93af
              • Instruction ID: 36266d5dd765f1786a0978bd86ac29f62cfa3fa5d784bfcaed62d5d4ac9006f0
              • Opcode Fuzzy Hash: bbed661b37246fa1d144d285aa2c1dfaf088072fdd08930e2eb89f3747eb93af
              • Instruction Fuzzy Hash: A342A171628342EBDB25DF6CC890A6FBBE5BF98300F08092DFA8697251D771D845CB52
              Function 01288158 Relevance: .6, Instructions: 617COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a76f954de07b5a47b3bdb5286491ae2c371969b69f65b0dc2723792c77236c5d
              • Instruction ID: fc4231b680f7f3d1fa96e3d81c5410e00f0bd0e4e5ebc696a8d981ceaf1ed5a1
              • Opcode Fuzzy Hash: a76f954de07b5a47b3bdb5286491ae2c371969b69f65b0dc2723792c77236c5d
              • Instruction Fuzzy Hash: 69426E75E212198FEB25DF69C881BADBBF5BF48300F548199E948EB282D7349D81CF50
              Function 01202840 Relevance: .6, Instructions: 605COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1464d488c23cc0ce0afa1f22de6cd0699b8b280d5e0c1b03e120bbb803c6bb6
              • Instruction ID: 799184205e1410dff2f904d41593ae9d4eec5395fe15959b4f9157afa64a2ed9
              • Opcode Fuzzy Hash: c1464d488c23cc0ce0afa1f22de6cd0699b8b280d5e0c1b03e120bbb803c6bb6
              • Instruction Fuzzy Hash: 20321070A2075A8FEB65CF69C8887BEBBF2FF84304F64411DDA469B285D774A805CB50
              Function 0129A118 Relevance: .6, Instructions: 591COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 49b00facbd4a52fef3d79fef5162eefb9b56b99798c7111cc036ea2525fc7d0f
              • Instruction ID: 9af2646a31696b90bcd52a542752c0a723c5e995cb4d113c9a4a1daac9a36792
              • Opcode Fuzzy Hash: 49b00facbd4a52fef3d79fef5162eefb9b56b99798c7111cc036ea2525fc7d0f
              • Instruction Fuzzy Hash: 6C22AD706247628FEF25CF2DC095376BBF1AF44304F08849ADA968B286D775E452CB60
              Function 011F6A50 Relevance: .5, Instructions: 548COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c90167a2a186847ac4e1c02c4b81a9a0688521c2e2308b965c44ef5da3814d0
              • Instruction ID: 8a2fa2648c90263c4e3054e524988a5257da3632a38f6e2d38d2a6ff7db1e0f0
              • Opcode Fuzzy Hash: 6c90167a2a186847ac4e1c02c4b81a9a0688521c2e2308b965c44ef5da3814d0
              • Instruction Fuzzy Hash: C2328A71A10215DFDB29CF68C480BAABBF1FF48310F14866DEA56AB392D734E851CB51
              Function 01214A35 Relevance: .4, Instructions: 423COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
              • Instruction ID: 53750750bbb95335dd089d331ffce35f718a9b3578f271b46b369985d8524d66
              • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
              • Instruction Fuzzy Hash: ACF19071E2024A9BDF15DF99C480BAEBBF6BF58714F048129EE05AB344E774E841CB50
              Function 0128892B Relevance: .4, Instructions: 386COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 39f6a8b0c6ba983487fdaf9bf9c36d536511251ea59a94bc503c524680ab56d8
              • Instruction ID: ee1fb4497e75212a95dd79918351f31bab21bf17479c898f71dda8731b15a5fe
              • Opcode Fuzzy Hash: 39f6a8b0c6ba983487fdaf9bf9c36d536511251ea59a94bc503c524680ab56d8
              • Instruction Fuzzy Hash: C6D10371A2160A8BDF19DFA8C841AFEB7F1BF88304F588169D955E72C1E735E901CB60
              Function 011F65D0 Relevance: .4, Instructions: 383COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3c8ab9eda5f5b5c1e16548ca179fbac3d13e2bbcee2c94459a8e0ca4f4087777
              • Instruction ID: 180a27f6d9b501779748aadfbab5a1368faf74bd3e1bab3e53508c50a320fb70
              • Opcode Fuzzy Hash: 3c8ab9eda5f5b5c1e16548ca179fbac3d13e2bbcee2c94459a8e0ca4f4087777
              • Instruction Fuzzy Hash: 13E19171508342CFC719CF28C490A6ABBF1FF89314F058A6DEA9987351EB31E945CB92
              Function 011E8397 Relevance: .4, Instructions: 380COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f938f552294ffca99583b99ddd762d86d38ffdc14fcbc04611efad8b126d2edf
              • Instruction ID: 2236225da020f00386f4c184ae920bee5aa50b32d02ecd7896aa39ca4cb6fef7
              • Opcode Fuzzy Hash: f938f552294ffca99583b99ddd762d86d38ffdc14fcbc04611efad8b126d2edf
              • Instruction Fuzzy Hash: 87D1C271A10A069FDB1CDFA8C884EBAB7E5FF54308F05462DEA16DB280EB34D951CB51
              Function 01278243 Relevance: .3, Instructions: 322COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
              • Instruction ID: b2bb8abd66a901f2dc15b92d1e1eb1965e567d196a501f86ea392330162672a6
              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
              • Instruction Fuzzy Hash: 0BB18375A10646AFDF24DF99C948EBFBBB9FF84304F10445EAA0297790EA74E905CB10
              Function 01200535 Relevance: .3, Instructions: 300COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction ID: 00d414456c358a7bf16865e67e3aca8f50dfc5c8c9404d64b38d9262f505e3a4
              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction Fuzzy Hash: 42B12A31620646AFEB26DB68C891BBEBBF6BF44340F140255EA52D72C2E770ED41CB54
              Function 011F83C0 Relevance: .3, Instructions: 281COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1b8c788f76538b241d7ec6bf7b480d36396350e203feded5ca7f185666f6e049
              • Instruction ID: ab7f0924911777f80aa7ab6a80820ae8ada00b27c73b46a6da886601c774c6da
              • Opcode Fuzzy Hash: 1b8c788f76538b241d7ec6bf7b480d36396350e203feded5ca7f185666f6e049
              • Instruction Fuzzy Hash: FCC16870218381CFD764CF19C484BABB7E5BF88304F44496DEA898B291E774E908CF92
              Function 011EC427 Relevance: .3, Instructions: 280COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c15091999d7f8fdac096a60cf5ede736f2a978d4a29e2b21af425ede879ee687
              • Instruction ID: 7b42f95123a0434a40125e718e68a35770db87b2e3245121f8d8e9f0c66058ed
              • Opcode Fuzzy Hash: c15091999d7f8fdac096a60cf5ede736f2a978d4a29e2b21af425ede879ee687
              • Instruction Fuzzy Hash: 6AB16070B106668BDB28DF98CC94BB9B7F1AF44704F0485E9D50AE7241EB309D86CF61
              Function 0121E5E7 Relevance: .3, Instructions: 278COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5de6a1e9ed3aeffc53ee05f7706f9a0b15211daa2f33ffe822c95da88517131d
              • Instruction ID: d6eb4ab464c1841606b0e3fc18bb2ed9b23297560ccd5f007dcdcd7d36aa8f13
              • Opcode Fuzzy Hash: 5de6a1e9ed3aeffc53ee05f7706f9a0b15211daa2f33ffe822c95da88517131d
              • Instruction Fuzzy Hash: 61A12371E2025A9FEB22DB58CD88FAEBBE4BB14714F060125EF00AB2C5D7749D41CB91
              Function 01230185 Relevance: .3, Instructions: 276COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fa7dea860975dfd4048384801f0599ae17b5d370f7013fcf428e6f9e28e3bd3e
              • Instruction ID: 87b7f143cce8d24a4e7bf420d9cc10b52a6967b1909d2b6a25e9e2c4efad297e
              • Opcode Fuzzy Hash: fa7dea860975dfd4048384801f0599ae17b5d370f7013fcf428e6f9e28e3bd3e
              • Instruction Fuzzy Hash: 8DA1E1B0B20716DFDB29CF69C491BBAB7A5FF84314F004029EB0597282DB74E942CB64
              Function 012C4500 Relevance: .3, Instructions: 275COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a757a4bded9dc471b5a762e2c7658962bb957ad0190112850dabd3c74361e173
              • Instruction ID: 71a09cb815bb62071567748a4d11a7526658a88eb3633b80d39fc8195ff178b7
              • Opcode Fuzzy Hash: a757a4bded9dc471b5a762e2c7658962bb957ad0190112850dabd3c74361e173
              • Instruction Fuzzy Hash: 4FA1DE72A24692DFD716EF18C990B2BBBE9FF58B04F05062CE6859B651D334ED00CB91
              Function 012C2B57 Relevance: .3, Instructions: 266COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
              • Instruction ID: 4b29e58eb93e7d3a9ea7493bd83e08ca33c9106af886544b97398e45ac284a9f
              • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
              • Instruction Fuzzy Hash: 9DB14871E1061ADFDF19CFA9C880AADBBB5FF58700F148269EA14A7354DB30A941CF90
              Function 012760E0 Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b3aeb72f5cd4966f11419b2c4f122ec02923efeb2fe664b5b843ba42a930933d
              • Instruction ID: 1710f71b7b5428c3810891de52b72f2bbd7871d45e8ae7a522735e5d19c76e2a
              • Opcode Fuzzy Hash: b3aeb72f5cd4966f11419b2c4f122ec02923efeb2fe664b5b843ba42a930933d
              • Instruction Fuzzy Hash: B4918071D1061AAFEB15CFA8D884BBFBBB5AB48710F154169EA10EB341D774E900DBA0
              Function 0120E3F0 Relevance: .3, Instructions: 261COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 189553497c17cd66fa732157b697719b33e1ee17719d8516e7531c4dc2e3aad2
              • Instruction ID: 764c92a2f4447a182e5e88da5deba899e8209b806ee6ab939ad879b029ac1136
              • Opcode Fuzzy Hash: 189553497c17cd66fa732157b697719b33e1ee17719d8516e7531c4dc2e3aad2
              • Instruction Fuzzy Hash: 13915871A30212CBDB26DB18D484B7E7BB1EF94714F064A69EE059B3C2E634D881CB51
              Function 012BAB40 Relevance: .2, Instructions: 222COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
              • Instruction ID: ff0cdab0a87b64be8ab4585b381c810d38beba75b1e0ae89d3a394ff869c2ee2
              • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
              • Instruction Fuzzy Hash: 2F818071A2020A9FDF19CF98C4C1AEEBBB6FF94350F188569DA269B345D774E901CB40
              Function 0122E284 Relevance: .2, Instructions: 212COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bfc93cb5d29711054c2485a54756abd3ad26b94f84d01f6cec08a0fb94d1c4ab
              • Instruction ID: 9d9e7e7e0a4adf97c89dfbc0eb65039ef54c5ca059c13a896bebca5888b5695f
              • Opcode Fuzzy Hash: bfc93cb5d29711054c2485a54756abd3ad26b94f84d01f6cec08a0fb94d1c4ab
              • Instruction Fuzzy Hash: BB81A37191061AEFDB25CFA9C880BEEBBF9FF88314F114429E655A7250DB30AC45DB60
              Function 0120C640 Relevance: .2, Instructions: 206COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 52134d68f1949fe269dd1e3ad4d147ef9924d3d9ee7bb602a2e3a58de2ead0ef
              • Instruction ID: 62beae6667c26de59cb6d4c3af2714edaf1b0afcefc97bb883b6a980b7aa71df
              • Opcode Fuzzy Hash: 52134d68f1949fe269dd1e3ad4d147ef9924d3d9ee7bb602a2e3a58de2ead0ef
              • Instruction Fuzzy Hash: 4071D0B5C21266DBCB2ACF59D8907BDBBF4FF58710F14425AE941AB391D3B49810CBA0
              Function 012A47A0 Relevance: .2, Instructions: 202COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 58d52d69378622b5f78067d3d3509749dad1985bbdcd38e4e6952d29bbbbd813
              • Instruction ID: e2e542d444b7edc1be4f3573bde40b7c889fd235e6fe960fe87e33a49440e585
              • Opcode Fuzzy Hash: 58d52d69378622b5f78067d3d3509749dad1985bbdcd38e4e6952d29bbbbd813
              • Instruction Fuzzy Hash: 0371DB70920246DFDB20EF59E968E9ABBF5FFA0310F84415AE7009B259C7B2D940CF54
              Function 0120260B Relevance: .2, Instructions: 201COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b8117cd77382eb8aa1fa7709104759e036a84027840d44e6fb812b81550d5f66
              • Instruction ID: 0e9675839e92a4aa4cbce9aa49569f52fa13c241d556fbcdc7d94b76e9d7c151
              • Opcode Fuzzy Hash: b8117cd77382eb8aa1fa7709104759e036a84027840d44e6fb812b81550d5f66
              • Instruction Fuzzy Hash: 9371E431624242DFD316DF28C884B2AB7E5FF84310F0486AAE959CB392DB74DC45CB91
              Function 0127035C Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction ID: 34e25f93fcad94a2cf26359319dc30aa1fb1342ea9abddc51a688d2e81cd076f
              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction Fuzzy Hash: 83718071A2060AEFDB11DFA9C944EEEBBB8FF48700F104569E505E7290DB34EA05CB54
              Function 012862A0 Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fdb04945821bef17220f744bd902dfebc6e66cc95b9601037949cad998b70363
              • Instruction ID: 0915ae392b0362b23ff1eeadb2d4a1fa28b321b3c54f0efe44c9634d786d22fd
              • Opcode Fuzzy Hash: fdb04945821bef17220f744bd902dfebc6e66cc95b9601037949cad998b70363
              • Instruction Fuzzy Hash: 1E71F272261B02EFE732EF18C845F6ABBA6EF40720F144528E3568B2E1D775E944CB50
              Function 012C8324 Relevance: .2, Instructions: 192COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b22874a8dc61a0cde2a8146d4946f1cb2b0674339f55858515d6648af8248630
              • Instruction ID: 87d0f4a70a95789a7c39d6a333651d7ebcb5fb5f5c3bd30eeeb2bef8b9fd8df6
              • Opcode Fuzzy Hash: b22874a8dc61a0cde2a8146d4946f1cb2b0674339f55858515d6648af8248630
              • Instruction Fuzzy Hash: 5E712FB1E6020AAFDF16DF94C841FEEBBB9FF14750F104219E615A7290D774AA05CB90
              Function 012AA250 Relevance: .2, Instructions: 184COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9fa370b3395d4f1adb116193acf0de4ab92c6f9c2431d97e003aba5b47e66baf
              • Instruction ID: e1c982a413a281bfe1079772aeb0e8a72e582a4440b726696588ae6e12e11a3a
              • Opcode Fuzzy Hash: 9fa370b3395d4f1adb116193acf0de4ab92c6f9c2431d97e003aba5b47e66baf
              • Instruction Fuzzy Hash: 9A51B472524752AFD712DE68C844E6BFBE8EFC5750F410929BA40DB150D770ED09CBA2
              Function 01298350 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 393613ae3cd29bad31f3ec11d27abd47a286700032ae4e10a91a1f94f5cdd686
              • Instruction ID: d0ae3354585a54dd871f2a40f1baa803e6c9a05c516ab9fca0f7a886b4d8fcfe
              • Opcode Fuzzy Hash: 393613ae3cd29bad31f3ec11d27abd47a286700032ae4e10a91a1f94f5cdd686
              • Instruction Fuzzy Hash: BE51C070920709EFDB21CF5AC880AABFBF8FF95710F14461ED296976A0D7B0A545CB50
              Function 0122E443 Relevance: .2, Instructions: 158COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 10cfc9add6573886095c121a966ed9996c21bd57b3b4c3183431e8be394c60b3
              • Instruction ID: 5de1a739a42b7b25a297867a862665ad8e9ef5b9249c45ab6eb4175f62d7de98
              • Opcode Fuzzy Hash: 10cfc9add6573886095c121a966ed9996c21bd57b3b4c3183431e8be394c60b3
              • Instruction Fuzzy Hash: 27517F71220A16EFCB22EF69C980EAAB3FDFF14744F41056AE641D72A1DB34E940DB50
              Function 01294180 Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5e304deff496e392a4c2e28c572012dcca2ae759be1961ee3b34e9469ad1a4a1
              • Instruction ID: ea30b034197cbb063bd387db7941f075f78bd126564dfc37bd530491891dd6eb
              • Opcode Fuzzy Hash: 5e304deff496e392a4c2e28c572012dcca2ae759be1961ee3b34e9469ad1a4a1
              • Instruction Fuzzy Hash: 1551AA716283829FDB14EF2DC981A6BB7E5BFC8208F544A2DF689C7250D730D906CB56
              Function 012145B1 Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction ID: 2d7bb65a7282dcc5ff2823f5f2b604c9b0b1dd377e7b149fd8cdb5c58e5326fa
              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction Fuzzy Hash: 3851AC71E1024AAFDF19EF98C480BFEBBF9AF55314F044069EA04AB244D734D945CBA0
              Function 0127E9E0 Relevance: .2, Instructions: 154COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
              • Instruction ID: 1cd15d262e06885049274b35d795304941ccc065a4066b10d5857ba600976e3c
              • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
              • Instruction Fuzzy Hash: 5F51B571D2021AEFEF219A94C885BBFBF79BF44324F1646A5D61267190E7709E408BB0
              Function 012B8B28 Relevance: .2, Instructions: 152COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 69b207aa9850b91992feb54785a726ef6a9fc8ee75de04edc539d71e2e6985d2
              • Instruction ID: 8c1219790e250ed14aef0a641f0b24dcdb8d7fe485050d09ca42383d689b4456
              • Opcode Fuzzy Hash: 69b207aa9850b91992feb54785a726ef6a9fc8ee75de04edc539d71e2e6985d2
              • Instruction Fuzzy Hash: 1041B5B07216029BD7299A2DC8D4BBBBB9EAF907A0F044119EA5DC7281E774D801C791
              Function 0127CBF0 Relevance: .1, Instructions: 148COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 53aada87ddd0fccae3d8ed9ef64f8959980ff1f1bcec94e4dce8bdffe2ed9ae5
              • Instruction ID: e7da400143f6c49249013780d7c77fdbe74d1819bc11e193fcdf50b36ece8e68
              • Opcode Fuzzy Hash: 53aada87ddd0fccae3d8ed9ef64f8959980ff1f1bcec94e4dce8bdffe2ed9ae5
              • Instruction Fuzzy Hash: 135198B292021BDFCB20DFA8D8849AFBBF9FB58318B154619D605A7704DB34AD11CF90
              Function 0122A430 Relevance: .1, Instructions: 139COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8cc6abe70a5c6d418af74aefc305f5e85146092b18c39b50ccfa0cabf87affa6
              • Instruction ID: 93a971e99db49363e3808856863b27b34056973c7e797e39cffddf627b203557
              • Opcode Fuzzy Hash: 8cc6abe70a5c6d418af74aefc305f5e85146092b18c39b50ccfa0cabf87affa6
              • Instruction Fuzzy Hash: CE41F871660212AFDF25EF68B885F7E77A9EB55708F01002EEA019F645D7B19C90C790
              Function 012BA9D3 Relevance: .1, Instructions: 139COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
              • Instruction ID: 21f7d621ab41043a67c7c174ef02843f5654cddc8fab85a272f992a02581e34b
              • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
              • Instruction Fuzzy Hash: A741D7716207179FD725CF18C9D4AAAB7E9FF90350B05862EEA5287641EB31ED04C7D0
              Function 012201F8 Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 85cfb9b1caa148012d0a308edbb1e8108de8591cca366f894fc82349cc306d2f
              • Instruction ID: 49c61ea9ec8df2220a633b67f20bcdb8117533c50a0c470e2941c11cf893697a
              • Opcode Fuzzy Hash: 85cfb9b1caa148012d0a308edbb1e8108de8591cca366f894fc82349cc306d2f
              • Instruction Fuzzy Hash: 6B41CF35920226EBDB14DF98C440AEEBBB4FF59710F14821AF915FB240D775AC41CBA8
              Function 0121EBFC Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 847ef7aec2f8551137f0eeb875adcd3c04a9d85183546d97f974959fb982390a
              • Instruction ID: 0a9b00d5396c84f075ba1ef7ad81327b77eee0bf3ff7141eae6d7c4e631792b0
              • Opcode Fuzzy Hash: 847ef7aec2f8551137f0eeb875adcd3c04a9d85183546d97f974959fb982390a
              • Instruction Fuzzy Hash: 5841E5B12203028FD726DF28CC84A6BB7F9FFA8214F05492AEA57C7655DB75E8448B50
              Function 01232750 Relevance: .1, Instructions: 137COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction ID: d6e8ad8e03732d33c0bfd48d03b6b50e96ae810fcc40758eb5ef5fbc0a4b59ac
              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction Fuzzy Hash: 42515B75A10216CFCB15CF9CC580AAEF7B6FF84710F2481A9DA15A7395D770AE82CB90
              Function 011F6154 Relevance: .1, Instructions: 133COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8ce5bee51484a8ce57e5babb705386a336aaf82c7f658fad1a1eca48eaf995be
              • Instruction ID: e1af955f3c716b09a5a0b617ad1a640017b818056100551283608e321ca16312
              • Opcode Fuzzy Hash: 8ce5bee51484a8ce57e5babb705386a336aaf82c7f658fad1a1eca48eaf995be
              • Instruction Fuzzy Hash: C75105B0914257DFDB2ACB68CC44BB9BBB1FF15314F1482A9E629A72C1D7349981CF84
              Function 011F0BCD Relevance: .1, Instructions: 130COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e3f36fa6b7da4865a860bfa4782ba7a9804e518268d3e711b7c99d6a1e7a66df
              • Instruction ID: 75028910db443a0f01b4bec08f85134981852588397b878b3110f393c0795651
              • Opcode Fuzzy Hash: e3f36fa6b7da4865a860bfa4782ba7a9804e518268d3e711b7c99d6a1e7a66df
              • Instruction Fuzzy Hash: 7441A471A10229DFDB25DF68C940BEE77B9FF59740F0100A9EA48AB242D7749E80CF91
              Function 012B866E Relevance: .1, Instructions: 129COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
              • Instruction ID: b6663194fd49e34ea0ddd577b05dabc638b248339ca41a8f4b6acd7d56653b78
              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
              • Instruction Fuzzy Hash: 99418375B20106AFDB15DB99CCC4AFFBBBEAF84784F144069E61897341D670DD408760
              Function 011F0887 Relevance: .1, Instructions: 128COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dee5cf661c3cbc91a477a4f86aba6fffe8fd16c4e73c650357c05e6f27101468
              • Instruction ID: 50bbbc98bd689cfd2a83f1f76b26d5cd4c917ec8cb413dc76cc6750f7f5b152c
              • Opcode Fuzzy Hash: dee5cf661c3cbc91a477a4f86aba6fffe8fd16c4e73c650357c05e6f27101468
              • Instruction Fuzzy Hash: 3C41AFB1610702DFE729CF28C490A22B7F6FB49314B114A6EE65B86A52F730E845CB90
              Function 0121A470 Relevance: .1, Instructions: 127COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3e8bb8bdb52cedecc4b02e89b7d1d7a74a19d241b14a9a722c7e2ce51c4f740a
              • Instruction ID: d8f101a5fea36c1bf9ea9e8243ee978bad52725aa703762c5b1cbb91ca1c06f9
              • Opcode Fuzzy Hash: 3e8bb8bdb52cedecc4b02e89b7d1d7a74a19d241b14a9a722c7e2ce51c4f740a
              • Instruction Fuzzy Hash: F4410E32966286DFDB25DF68E4887ADBBF0FB28710F440165D511AB289DB709900CBA0
              Function 011F8BF0 Relevance: .1, Instructions: 124COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4d4e11def229c1c2eeae701edf7872cb946910aa5cd67f7351564bfc34ba9890
              • Instruction ID: 78708e24dee02aac926c4f253edf6b8dec4d0388fe39822a944d4fa9f1a925ed
              • Opcode Fuzzy Hash: 4d4e11def229c1c2eeae701edf7872cb946910aa5cd67f7351564bfc34ba9890
              • Instruction Fuzzy Hash: C341F632910246DBD728DF48D884BAEBBF5FF94B08F15812EDA019F295C735D842CB90
              Function 011E8918 Relevance: .1, Instructions: 123COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 906443792c24cce94f3ed12682096ae50c1db5acacfe4d8db01965dc2a1d075f
              • Instruction ID: 1e2050fd9cb28b25e0c022f1f35dffa22a20a754c42ef99012b4b5831f2ea762
              • Opcode Fuzzy Hash: 906443792c24cce94f3ed12682096ae50c1db5acacfe4d8db01965dc2a1d075f
              • Instruction Fuzzy Hash: 30417B329187069FD316DF68C840A6BF7E9AF84B54F41092AFA84D7250E730DE048B93
              Function 011EA020 Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction ID: 61e6d1d93f794998fd6ba8a0c44af1db568b62171a2c264d18d17f5f8165962d
              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction Fuzzy Hash: D1414C31A14612DBDB2DDEA894487BABFB1EF50754F17806AFA498B240D732DD40CB91
              Function 011F09AD Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a7178c5de815fa1ec51d01557e41bba4da03ada66f8cdf48e23104bb9da468e0
              • Instruction ID: 9975afade0c57565d9a5e3b7bbefa4e8872f846fe9e880c1b7d5274cd0b115c4
              • Opcode Fuzzy Hash: a7178c5de815fa1ec51d01557e41bba4da03ada66f8cdf48e23104bb9da468e0
              • Instruction Fuzzy Hash: 72417C71610601EFD72ACF18C840B26BBF5FF58314F21862EE649CB292E771E942CB91
              Function 01220710 Relevance: .1, Instructions: 121COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction ID: 4ef7151169de4676902bc8dc505c643f98b7cfbb105d1995ec8193d79736230f
              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction Fuzzy Hash: B4412871A10715EFDB28CF98C980AAEBBF5FF18700B10496DE656DB291E370AA44CF54
              Function 011F262C Relevance: .1, Instructions: 119COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 32bad814a9d5950569bccb53e86d7a84835cdd8bb037e475532488172174404e
              • Instruction ID: 6ce2855b216bb8b4d617e5ab223d74ac6651041abd8684f34bb5e88ad9b0fe6d
              • Opcode Fuzzy Hash: 32bad814a9d5950569bccb53e86d7a84835cdd8bb037e475532488172174404e
              • Instruction Fuzzy Hash: 6F41C2B1911B01CFCB2AEF28C944A69B7F1FFA4324F11826DC6169B2A1DB30D941CF51
              Function 0122C8F9 Relevance: .1, Instructions: 116COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 75fade28c31066b2cc7a9ecec6c970f799eee10ccd258ebc261569403b0cbabf
              • Instruction ID: 25c54d34971f13159e55b279cb53b6d48f381baacf89a6e56af0518048c632a9
              • Opcode Fuzzy Hash: 75fade28c31066b2cc7a9ecec6c970f799eee10ccd258ebc261569403b0cbabf
              • Instruction Fuzzy Hash: 8F318DB1A20356EFDB11CF58C0407A9BBF4FB09714F2081AED119DB291D3769942CF90
              Function 012707C3 Relevance: .1, Instructions: 114COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a8ff96a6d5317939e38b900572d3d8aeda61ab284e110edc5808db61f68e441b
              • Instruction ID: 84c5d493186ad5f8d09ee098daa7a42998961ef624ba3a020e7d46f84db7404c
              • Opcode Fuzzy Hash: a8ff96a6d5317939e38b900572d3d8aeda61ab284e110edc5808db61f68e441b
              • Instruction Fuzzy Hash: 6A419DB2614351AFD720DF29C845BABBBE8FF88614F004A2EF598C7250D770D904CB92
              Function 011E80A0 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ef7196624d814a53929d0b7cce3f6b292ad33ad8377050dfd3c7ad12e8357a7b
              • Instruction ID: c57348901d478e42a7c2d0c4048729e46e43180819693f4262a9d3a2d768cb0a
              • Opcode Fuzzy Hash: ef7196624d814a53929d0b7cce3f6b292ad33ad8377050dfd3c7ad12e8357a7b
              • Instruction Fuzzy Hash: 7041F071E04A16EFCB0DDF98C984AA8B7F1FF54764F158229D916A7280DB30ED418BD0
              Function 012705A7 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 89366045c65abe72d4fcd8de506b2aac1b96aefdad93acdb81d253aa9aba0fef
              • Instruction ID: 76b5f89f0a235e7971218118a9be3a544eb04ae1605cf14e5c2ebdde57c1e6e4
              • Opcode Fuzzy Hash: 89366045c65abe72d4fcd8de506b2aac1b96aefdad93acdb81d253aa9aba0fef
              • Instruction Fuzzy Hash: D441C3726246429FC321DF69D850A7BB7E5FFC9700F140619FA9497680E730E908C7AA
              Function 011F4859 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a311058562d7020575d7f4fd077bd7b5bd0dcf8355a62c6123a6b20422d22175
              • Instruction ID: d48dbdf7c4bda02a929e3ffd2d3379b3e32736be388cb9a80ad2706b700924e2
              • Opcode Fuzzy Hash: a311058562d7020575d7f4fd077bd7b5bd0dcf8355a62c6123a6b20422d22175
              • Instruction Fuzzy Hash: E741AD703103028BD729DF28D894B2BBBEAFF84354F14452DEB458B6A1EB30D941CB91
              Function 011E8B50 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9ddf5428f87fa2b0d678db3fbe49b1ea39d3fd79e17102b9844a820ebfe1fdb2
              • Instruction ID: 1b9a506ec25001b7c7207d5373973cc25cb570b3c4f42e221fddabed8a3f7d77
              • Opcode Fuzzy Hash: 9ddf5428f87fa2b0d678db3fbe49b1ea39d3fd79e17102b9844a820ebfe1fdb2
              • Instruction Fuzzy Hash: D341C171E01A05CFCF19DFA9C9849EDB7F1FF89324B11862ED566A72A0DB30A941CB40
              Function 012002E1 Relevance: .1, Instructions: 106COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction ID: abba580e132643aeba26bef58e7e60cf1e994688ddaa20a85c4970fe279ff364
              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction Fuzzy Hash: 4E312A31A24245AFEB239B68CC84BABBFE9AF54350F0442A5F855D7393D3B49884CB54
              Function 0129E3DB Relevance: .1, Instructions: 105COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ae330803c7a54c0183dde57da0c1074cd99945ff7de66edb8d1af606c0e1218f
              • Instruction ID: e9de77e2d495ca2443d761c020377cd00b4f2da1213eac7788b5c27f5d53c27b
              • Opcode Fuzzy Hash: ae330803c7a54c0183dde57da0c1074cd99945ff7de66edb8d1af606c0e1218f
              • Instruction Fuzzy Hash: A6318A75760716ABDB26EF598C41F7F76E9EB58B54F110028F600AB2D1DAA4DC01C7A0
              Function 012A4B4B Relevance: .1, Instructions: 104COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6fe030963588779a81eb825b82c644d4d09380b837cc1a7738dc80096c4f8f92
              • Instruction ID: 13bd1b580ddd4c05410c4a154aaccb73e005dabca62dea282fb3afbfe56a867a
              • Opcode Fuzzy Hash: 6fe030963588779a81eb825b82c644d4d09380b837cc1a7738dc80096c4f8f92
              • Instruction Fuzzy Hash: 6E310632615252CFC321EF1DE884E66B7F6FB80320F89446EEA598B251D771E800CB80
              Function 011F4260 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d1b0144e35972cc885dc16c39df377f3e9cbf386d72038c21a6cbac01c80eee3
              • Instruction ID: aa1555ca03b4b2ed8f0c04f1c610d7744296d3d8db8407203aabd4ec4374985d
              • Opcode Fuzzy Hash: d1b0144e35972cc885dc16c39df377f3e9cbf386d72038c21a6cbac01c80eee3
              • Instruction Fuzzy Hash: 2B41B971210B46DFD76ACF28C881BA77BE9BF58754F01842DEA9ACB650C774E800CB94
              Function 012A4BB0 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6f3c9360d3f77ad04176aee6e6e361bad925c67554e5b886a8d9d022aa1ce8e7
              • Instruction ID: 8c9b515c58ff1ae6c4eb2c684d5e3b49c7fe3ef5ebeb1a748997ae87c37a3cea
              • Opcode Fuzzy Hash: 6f3c9360d3f77ad04176aee6e6e361bad925c67554e5b886a8d9d022aa1ce8e7
              • Instruction Fuzzy Hash: ED31B0716243428FD324EF28D894E2AB7E6FB84710F49496DFA599B391E770EC04CB91
              Function 0126EB1D Relevance: .1, Instructions: 100COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 59b8fa1e1260d1ece2595f8e8f47a7d6fb4badb4d7e60c8377529191bde2237b
              • Instruction ID: 5101f28f4ae5218bdc810a026b5c7b9290a05bd7d4715c053e177434287f0471
              • Opcode Fuzzy Hash: 59b8fa1e1260d1ece2595f8e8f47a7d6fb4badb4d7e60c8377529191bde2237b
              • Instruction Fuzzy Hash: 9631C1752316839BF322DB5DC948F697BDCBF51B44F1E00A0AB459B6D2EB68D880C225
              Function 012B61C3 Relevance: .1, Instructions: 97COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c671c0f35f5c647ec57283626cfe7e14c4507e907ac504767133c7c6c54ce17
              • Instruction ID: 9171437c4dfe823c60ae241e53cb9a861243714484551dbd0f3b9b01fc579a9b
              • Opcode Fuzzy Hash: 9c671c0f35f5c647ec57283626cfe7e14c4507e907ac504767133c7c6c54ce17
              • Instruction Fuzzy Hash: 5531C475A1015AABEB15DF98CC81FBEB7B5FB44780F454168EA00EB284D770ED00CB94
              Function 0129483A Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1b16517678b1a94b799e7fedea2b974910bf89f787e24246fd256aed8904b07
              • Instruction ID: 30f1f3f92d794c8118249abda95170b3faeebb88889ff210b45589cc5ec723b9
              • Opcode Fuzzy Hash: c1b16517678b1a94b799e7fedea2b974910bf89f787e24246fd256aed8904b07
              • Instruction Fuzzy Hash: 98316776A5016DABDF21EF58DD48BDE7BF5AB98310F1001A5E508A7250CB30DE91CF90
              Function 0121EB20 Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4a97749d888dab4fd24b398efddba9a6d631ad97145d652d6857432df040e25
              • Instruction ID: 2c302e69011722a6e91098a915976099b547b750bd5a94887f3e0d70280c0b98
              • Opcode Fuzzy Hash: a4a97749d888dab4fd24b398efddba9a6d631ad97145d652d6857432df040e25
              • Instruction Fuzzy Hash: 5C31A672E21219AFDB22DEA9CD40AAEBBF8FF54750F014525EA15D7254E6709E008BA0
              Function 012B60B8 Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 93f3ca2b61d0e49093cf72fc38914540adeaac65e1ff08f8bee40b39497c71e4
              • Instruction ID: 038fe97d5f7f2e2f9c6bb25e0b1dc745a23d85f7f0301095e933a80b5e06dd35
              • Opcode Fuzzy Hash: 93f3ca2b61d0e49093cf72fc38914540adeaac65e1ff08f8bee40b39497c71e4
              • Instruction Fuzzy Hash: 4931C272A30606ABDB13DB99C890BBAB7F9AB44394F144069E615DB382DA70DD008B90
              Function 011F07AF Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a30fff1592ae129f110b39e7e262cb3119a629f2779e861eaa7b95eee5fe2f00
              • Instruction ID: 5b5bad4fcaee609d3d588fc86964020eb8ba2ebed10f4408ff7947c2f3ca0ab2
              • Opcode Fuzzy Hash: a30fff1592ae129f110b39e7e262cb3119a629f2779e861eaa7b95eee5fe2f00
              • Instruction Fuzzy Hash: F131B672E04612DBC71ADE64C840A6BBBE6AFD8664F02452DFE5597312DB30DC1187D2
              Function 011F8550 Relevance: .1, Instructions: 94COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6e3301477abd64f3de499d299a3985fd18328bea0d6e1fc1e1ab1c3dde158821
              • Instruction ID: 1e6342be8f5794b050cf5c15c54e6493913627756f807a44954a77d824c3952e
              • Opcode Fuzzy Hash: 6e3301477abd64f3de499d299a3985fd18328bea0d6e1fc1e1ab1c3dde158821
              • Instruction Fuzzy Hash: D0318E71619302CFE764CF19C884B2AFBE5FBA8B10F05496DEA84973A1D770E844CB91
              Function 0122A6C7 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction ID: 05837dc3f7e0ae61a5f89e6bdff243be9724aed3b3250a5692df33fcce76707b
              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction Fuzzy Hash: 14312CB2B10711AFD765CF6DCD41B5BBBF8BB48A50F04092DE69AC3A51E670E900CB64
              Function 0129EBD0 Relevance: .1, Instructions: 91COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eb418965ee58a7d33ca33038a7ee7fca3eeafcf6e449d66ff09fb9fe60dc13e3
              • Instruction ID: edcdf35c7577eda704df0f8c0d1bd10a89eb1fc93d1c265474a0e3072aebc1d1
              • Opcode Fuzzy Hash: eb418965ee58a7d33ca33038a7ee7fca3eeafcf6e449d66ff09fb9fe60dc13e3
              • Instruction Fuzzy Hash: 1231EDB1525382CFCB15DF1DC44482ABBF1FF99204F464AAEE5889B352D331E940CB82
              Function 0121438F Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b967cdd5aad3150a99e4dfae1802679f02842cd6e0bfac9ca0353661aab96a75
              • Instruction ID: 87078569e520a122dc95589d7b5a07bfad727d699cfc1e4800ec168432dd4b81
              • Opcode Fuzzy Hash: b967cdd5aad3150a99e4dfae1802679f02842cd6e0bfac9ca0353661aab96a75
              • Instruction Fuzzy Hash: 3E31F631B602869FD720EFB8C981A7E77FAEBA0304F008529D509D7258D730D945CBA0
              Function 011ECB7E Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
              • Instruction ID: 604ee90afcb1c5f05bbd4653137f2e7a3d2cb4d3f31fcf76fc36b9a451db3535
              • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
              • Instruction Fuzzy Hash: B4210632E5165BABDB19DBB98801BEFBBB5AF54740F0680359E16EB340E370D94087E0
              Function 011EC156 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 91264397c74449d1d9b8071e37052b29468803b9aa66103645ff9deb407e38ff
              • Instruction ID: c999105c1ac0d3bd52e67b4580dcd6f765d45b2f864394e32bdc9e31d424ff4a
              • Opcode Fuzzy Hash: 91264397c74449d1d9b8071e37052b29468803b9aa66103645ff9deb407e38ff
              • Instruction Fuzzy Hash: E63147B15102068BDB29EF68DC44B797BB4FF60714F4482ADDA469F386DA34D982CF90
              Function 012AC3CD Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction ID: 0c8258092cebf620ba394d8fd166eec96043b7818db669792d9efae8caea299d
              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction Fuzzy Hash: EA21303E610652B7CB15AB958C00ABBBBB4EF40710F80801AFB558B691EA34DD60C364
              Function 011EE420 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 375e576ed5d14e895e893a1eb778233acd4ef28336d8a24d422ddf3088600d03
              • Instruction ID: 7f2e8e73dae9327f487c60406df58b12d258de1ba640e4797727e08772d285ed
              • Opcode Fuzzy Hash: 375e576ed5d14e895e893a1eb778233acd4ef28336d8a24d422ddf3088600d03
              • Instruction Fuzzy Hash: 2D31C231A0292D9BDB39DB58CC45BEAB7F9AB15740F0101A1E645EB290D7749E808F91
              Function 01224588 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction ID: 9f63cd604fd37db03a95e3b235c1382b2c95abcb8a67ae9fe80eb14e283aa352
              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction Fuzzy Hash: 81219171A10659FFCB21DF98C980AAEBBB5FF48314F108065EE159B241D671EE058B90
              Function 012244B0 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1de288a3c1f8abfde528590682fb46807ecf4a198edce936b7809155b738ea00
              • Instruction ID: e93f58124fac3042d7658df3b96145cec3052bbc219e2f8753506bbd1f07ba60
              • Opcode Fuzzy Hash: 1de288a3c1f8abfde528590682fb46807ecf4a198edce936b7809155b738ea00
              • Instruction Fuzzy Hash: 7321B472624796ABC722DF18D440F6F77E4FF98760F004519FD949B641D730D9108B91
              Function 011EE388 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction ID: c47fa6bb35e2c0790a6d0be56fa6c47479dca964a7a40223d2261852a6e432ba
              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction Fuzzy Hash: 1A318B31600A05EFD729CBA8C988F6AB7F9FF85354F1045A9E512CB281E730EE01CB51
              Function 0126E609 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c4b49f7174588a86f4b82c91ecbafe0f1b31a461bcb5287e15799bc1a0fcadae
              • Instruction ID: 6e7ab159acaef3f025cb63e402fe85ff89f2f41e215e00fd06dedcb9895e48fa
              • Opcode Fuzzy Hash: c4b49f7174588a86f4b82c91ecbafe0f1b31a461bcb5287e15799bc1a0fcadae
              • Instruction Fuzzy Hash: C431AD79620206DFCB14DF18C8849AEB7F9FF94704B164459E90A9B3D1E771EE80CB91
              Function 012706F1 Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 33b936586f94c9d9db6020744c4d096a61eb3dcc723eace1ad38328045a4e930
              • Instruction ID: 16792fa0de6e49eac02db4bc9db2b6e07735a58fc5de856a3db7e3a4c1c9aee9
              • Opcode Fuzzy Hash: 33b936586f94c9d9db6020744c4d096a61eb3dcc723eace1ad38328045a4e930
              • Instruction Fuzzy Hash: E521AD71A1062AABCF25DF59C881ABFF7F4FF48744B400069F941AB240D778AD41CBA4
              Function 0127019F Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 468542b52ef338a4a3d6d3817db3836b579019599bbe51897d42784a50114005
              • Instruction ID: bd5b20d10678f9c4c3fd6ac3f0208d11486a50cc278db95bb898836999881550
              • Opcode Fuzzy Hash: 468542b52ef338a4a3d6d3817db3836b579019599bbe51897d42784a50114005
              • Instruction Fuzzy Hash: 0C21DE72620606AFD716DB6CD840F6AB7B8FF99740F140169FA04DB7A1D638ED00CB68
              Function 01270283 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8c2beca759b0742f2ae738fb4f3635b0942748311f947459a14cf3283b9284b4
              • Instruction ID: bd15351038223bbfa1103274e30706b4402923cef57ca0710fda3f7900b7ec2a
              • Opcode Fuzzy Hash: 8c2beca759b0742f2ae738fb4f3635b0942748311f947459a14cf3283b9284b4
              • Instruction Fuzzy Hash: FE21F2729243469FD712EF69C844F6BBBDCAFA2240F080556BE80C7291D734D908C7A6
              Function 01212835 Relevance: .1, Instructions: 73COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fefb74edb129049133739fc7d672a030863cd8ffef7ab26f4d92385a3e3ea5e5
              • Instruction ID: 8b90e11faeb2c3e8452ffc0c719f674ada1cf5ddd7221d3a461670d55661fee3
              • Opcode Fuzzy Hash: fefb74edb129049133739fc7d672a030863cd8ffef7ab26f4d92385a3e3ea5e5
              • Instruction Fuzzy Hash: E121D731635683DBE322E76C8C45B257BD5BB51774F290364FF209B6D6DBB8C8018254
              Function 0122A30B Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d8ab5c06f74d0eafeb2309535d1cc4cd0c649ee29a07512e295ee32fe42d524e
              • Instruction ID: c4fd62f99e4cd1577ad274bbc3ab96b05c4b826c9b204c19639275cd92d35039
              • Opcode Fuzzy Hash: d8ab5c06f74d0eafeb2309535d1cc4cd0c649ee29a07512e295ee32fe42d524e
              • Instruction Fuzzy Hash: A221AC75261A11AFC725DF29C801B5677F5BF08704F148468E509CBB62E371E842CB94
              Function 012AA49A Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7b387e75ad3b4bbbd293659ecf2ecc1756203b781fd2e36e7c367e8a032a5e41
              • Instruction ID: 12b8a5039896ecb1c36b768a7234af7609b7a00d6a7d7b14e00d497d9487019d
              • Opcode Fuzzy Hash: 7b387e75ad3b4bbbd293659ecf2ecc1756203b781fd2e36e7c367e8a032a5e41
              • Instruction Fuzzy Hash: 40113A727A0B11BFE3225555AC51F27BB99DFD4B20F900068B758CB180DBB0DC01C7A9
              Function 01270946 Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f7ef6568f321e019cd6b28d56e355ae17ca93a4209cf8bdc88b70a0d0bbdd6e2
              • Instruction ID: f84fe7952611fae32821562649a71a2eec3a6f348abbd683b89bbd6d6fa29809
              • Opcode Fuzzy Hash: f7ef6568f321e019cd6b28d56e355ae17ca93a4209cf8bdc88b70a0d0bbdd6e2
              • Instruction Fuzzy Hash: 2F2116B1E10209EBCB24DFAAE8849AEFBF8FF99600F10012EE505A7240D7709945CB54
              Function 012880A8 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction ID: 68b0fad45ebb202951ded9bb7db44937acbeeea766ed43f016156539054d334e
              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction Fuzzy Hash: 1F218E72A1020AEFDF22AF98CC40BAEBBBAEF98310F204415F940A7291D774DD518B50
              Function 01220124 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction ID: 3c7472733e051b0545e349bacba4d48d21f3d11e97e86d9e1fffb029327464fc
              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction Fuzzy Hash: 6211E273610616BFD7229B44CC45FAEBBB8EB80754F200029F7008B190D671ED44DB54
              Function 011F8770 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a2770d71bbeca70bd0fe61df3398643a3f51996f9795fa0b1cec19498c87a7a5
              • Instruction ID: d201b87b1ee5527eaaa6692f3811532176fdd0fdf5b550fbcc912f9eaf4a38e8
              • Opcode Fuzzy Hash: a2770d71bbeca70bd0fe61df3398643a3f51996f9795fa0b1cec19498c87a7a5
              • Instruction Fuzzy Hash: 7011C135700A119BDB19CF8DC4C0A26BBE9EF5A710B19816DEF089F204D7B2D902C790
              Function 011F80E9 Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8131e5e22cf17a90ad46b70d22d7c395e8b38de6ae81f3e8cc2d26392b3cbf65
              • Instruction ID: 730d00545af7a1b616cc05f8cf205d7e20c0630a6e0ed70f1ee0804a30e28934
              • Opcode Fuzzy Hash: 8131e5e22cf17a90ad46b70d22d7c395e8b38de6ae81f3e8cc2d26392b3cbf65
              • Instruction Fuzzy Hash: C1216F75A04205DFCB18CF58C581A6EBBF5FB89314F24426DD205AB351C771AD06CBD0
              Function 0122674D Relevance: .1, Instructions: 65COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 39d2ecf1c560d6ff755cead93b71e618fb8dbf8e548b1fb8445fdd7243487936
              • Instruction ID: d28d78297b2356d4a5811ae9a2e87b38e2ca95e2a5824b7ecad2b0c2e169c9db
              • Opcode Fuzzy Hash: 39d2ecf1c560d6ff755cead93b71e618fb8dbf8e548b1fb8445fdd7243487936
              • Instruction Fuzzy Hash: 3D219072520A11EFD725DF68D841F6AB7F8FF44250F40882DE99AC7251DA75AC50CB60
              Function 01286870 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e77abf97853e1c14c956cfb70e0cb050fb61d1def89a639410731d6d62eff348
              • Instruction ID: b923c5606537ec73d7653d9ef4912ed2e33b7ee0839e1c45e2854709d833839e
              • Opcode Fuzzy Hash: e77abf97853e1c14c956cfb70e0cb050fb61d1def89a639410731d6d62eff348
              • Instruction Fuzzy Hash: 6511A332261615EFC722EB5DC940F9A77A8EF95B54F114025F205DB2D1DA70E905C790
              Function 0121E8C0 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 30e3c265018a1a026dcdcaf253348a5d73184c37622d6134fa0b947c361f5fcb
              • Instruction ID: 0915a9614983bfb64fb7be0d41adcaa12d6af0c78086ce28fa18906c7a889461
              • Opcode Fuzzy Hash: 30e3c265018a1a026dcdcaf253348a5d73184c37622d6134fa0b947c361f5fcb
              • Instruction Fuzzy Hash: 6D110C323201159FCB1ADB29CD85A7B729BDBE6374B254539DE22CB295E9309841C391
              Function 012266B0 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5bd815ddf00a22f89f8b646502d54cf4113322905ce84ab85ed7dbcae467c3ee
              • Instruction ID: 3e90e43462f0f20d83b7ea9c2983b311406042269ad4385b20820e29b12549cc
              • Opcode Fuzzy Hash: 5bd815ddf00a22f89f8b646502d54cf4113322905ce84ab85ed7dbcae467c3ee
              • Instruction Fuzzy Hash: 4A110E73A60222EFCB2ACF59E480A1EBBF8EF94200F05407ADE059B351E670DC00CB90
              Function 012BA8E4 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
              • Instruction ID: 2a5c84b91f72aef745a6966f5093524d5ba7c797c4f30ba6b774d808ef978028
              • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
              • Instruction Fuzzy Hash: 9E110436A1090AAFDB19CB58C841BADBBF5FF84350F058269E95597340E671ED41CB80
              Function 0127E7E1 Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
              • Instruction ID: ea7170ed57631189d2b77d4e607b726ee389e094a1d9b5ac6a102c9b8d857d8f
              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
              • Instruction Fuzzy Hash: 5911E032620606EFE7219F48C840B17BBA6EF41754F0684ACEB089B270DB70EC40CBA0
              Function 012127ED Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7e46f2fd9edcb1320c668fa7f672ce35d3a3d21f0c20ea5b7c5136195b6517b7
              • Instruction ID: f4d41e356f01a546f41ac0a23a0e0846c0a75234a51df63f4c9f8cd15d2d3b22
              • Opcode Fuzzy Hash: 7e46f2fd9edcb1320c668fa7f672ce35d3a3d21f0c20ea5b7c5136195b6517b7
              • Instruction Fuzzy Hash: D3012631236646AFE316E26ED885F376BCCFF50354F160065FE008B291EA64DC00C2B1
              Function 011F4690 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 88f70443ae9e85fdaa44e45d409a91859cde836446e052937e8ce27a39392550
              • Instruction ID: 672b02793cf5385c76b2c3e8bdd3bb9c04b8a2c5c224ccf53125c271dc3f6975
              • Opcode Fuzzy Hash: 88f70443ae9e85fdaa44e45d409a91859cde836446e052937e8ce27a39392550
              • Instruction Fuzzy Hash: BA110236244A45AFDB29CF5DD840F577BA5EB95B64F01421DFB048BA40C330E810CF60
              Function 012C4B00 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 43e3dc99546bf282d6ba43ab448b150114c33e3a58e9b82c8b8713787df74d01
              • Instruction ID: 3b51f580f557e7d2328cf02768c567b42b53a5623ce14e8bfdd0b572975907fa
              • Opcode Fuzzy Hash: 43e3dc99546bf282d6ba43ab448b150114c33e3a58e9b82c8b8713787df74d01
              • Instruction Fuzzy Hash: 4F1129326206529FD722EA29D854F67B7E6FFC4B10F14461DEB42C7290EA30E802C790
              Function 01226620 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 32cf88272616c7a1187e1249f5b5095a3422073ae4f9253e48b42ce768aed528
              • Instruction ID: 29983032c91bf1375e7633df6d6e9034dcc7f577981290e9550391680d2a3980
              • Opcode Fuzzy Hash: 32cf88272616c7a1187e1249f5b5095a3422073ae4f9253e48b42ce768aed528
              • Instruction Fuzzy Hash: B411AC72A10626AFDB32DF99C980B6EFBB9EF84750F500058DE00A7200D738AD018BA0
              Function 0121EA2E Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4a64e611f865f355b5884ba269cdd51f4ccf3da41292b5296e8f87e027eb6287
              • Instruction ID: 96c444acb34bcd0800b77be2c66b6dfb09ef6e461a6f1f6735306e53d65c6351
              • Opcode Fuzzy Hash: 4a64e611f865f355b5884ba269cdd51f4ccf3da41292b5296e8f87e027eb6287
              • Instruction Fuzzy Hash: 0201F97652010A9FC716DF18E808F25B7FAFF91318F214179E2058B265C770DC42CB90
              Function 0121E53E Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction ID: 0af6c8c8192cbd5211de19576a09cbb149fa77e859949c469b9279909c39f8a3
              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction Fuzzy Hash: C411C272631AC3AFE723D72C9A84B253BE4BB10744F1A00A0DF4187683F338C842C251
              Function 0127E75D Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
              • Instruction ID: 2b45f0780f8bcbf3c60ff5aaddb741e1e08ce27ae8e4e751dc8037303da15858
              • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
              • Instruction Fuzzy Hash: E901D632621206AFF7299F59C801F6BFAADEB40754F0685A4FB059B270D771DD40CBA0
              Function 011EA250 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction ID: 469426c18b60c3994f1fcdae2541495e120c4effc68b561f7e6cda1e8a90fae0
              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction Fuzzy Hash: 44012272404B229BCB398F99E844A327BE4EF55B607008A2DFD95AB281C331D800CBA0
              Function 012C4940 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 760b86345c29917119460d2a321c6dbaa77e493e2e0f8d9ce87298cef0eb020f
              • Instruction ID: aeda3d649f82103f2f354cd2ec2f94431504f045f83314541a5b073e446b0561
              • Opcode Fuzzy Hash: 760b86345c29917119460d2a321c6dbaa77e493e2e0f8d9ce87298cef0eb020f
              • Instruction Fuzzy Hash: 650126724615629FC332EF1CD814EA3B7A8EB91B70B154319EB699B1D6D730D801CBD0
              Function 0126E1D0 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e0beb3f1202913f9189a5b0ca5dcbdd73cc133c451bc64051b5b8972515fd8de
              • Instruction ID: 3cf307de261497ba8cb8eb79bd209449bfd2c649855bd55745b90363c05ae3c2
              • Opcode Fuzzy Hash: e0beb3f1202913f9189a5b0ca5dcbdd73cc133c451bc64051b5b8972515fd8de
              • Instruction Fuzzy Hash: B111ED36261201EFCB16EF09CD90F16BBB9FF58B48F200069EA058B2A1C331ED01CA90
              Function 011F6259 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 81b4818cca2a62a35aa09f1ece3c0587d19f307cd13e11477f7fa9e0bb264357
              • Instruction ID: 8163f149ab411bf7ae3cb99df33205ce21a2e29b1db87f53f9a474281894b0f6
              • Opcode Fuzzy Hash: 81b4818cca2a62a35aa09f1ece3c0587d19f307cd13e11477f7fa9e0bb264357
              • Instruction Fuzzy Hash: 08117CB1651229ABEB29EB64CD42FEDB3B5BF54710F5041D4A318A61E0DB709E81CF84
              Function 01276050 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ede68b16df4782777d827ab05a084015baeac1f806af7051e49bb3da164e2556
              • Instruction ID: 61f7cd57805bbbce10e6ce1e8f7283692e82af87a558177171f713403d1a7f8c
              • Opcode Fuzzy Hash: ede68b16df4782777d827ab05a084015baeac1f806af7051e49bb3da164e2556
              • Instruction Fuzzy Hash: 36111B73910019ABCB12DB94CC84DEF777CEF48254F044166E906A7211EA34AA15CBE0
              Function 011F208A Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction ID: 556e057b076c4e5ea7424f1d8af3b0da90bdcd16d063519b5245134477eaa567
              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction Fuzzy Hash: 6A0128336101118BDF1E9A5DD880BA67767BFD4700F5645A9EF018F246DB71CC81C790
              Function 01286500 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3b8e3f376fb79963e8d77bbab75be7f8202a878b5d881c736b452f7e674d1970
              • Instruction ID: 9d376c40dd875ba7e5fcab9de4f6686134a374e04bbbac8cbaf5f366cde87101
              • Opcode Fuzzy Hash: 3b8e3f376fb79963e8d77bbab75be7f8202a878b5d881c736b452f7e674d1970
              • Instruction Fuzzy Hash: BD1104326111469FC311DF18E800BA2BBB9FB5A304F088159E948CF356D736EC80CBB0
              Function 0127C810 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b29613ac499839f88978e0b886e05777f75e31cee795886921435b3b3ac55988
              • Instruction ID: bf4c72cff01dc87cf0e25ad45231ea74a3785a83ed89be1b918f3f69f28c3dbb
              • Opcode Fuzzy Hash: b29613ac499839f88978e0b886e05777f75e31cee795886921435b3b3ac55988
              • Instruction Fuzzy Hash: 2D1118B1A1020A9FCB00DFA9D541AAEBBF8FF58350F10406AA905E7351D674EA018BA4
              Function 0129EA60 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e89759654a0d1fde23a895f5f7f75fb687bdb549dfdda09aaccad638dfc857f6
              • Instruction ID: 758f8f4b7c15981a7d0924770324eda3d3b2ce6937066abfe767a8044a1cfefe
              • Opcode Fuzzy Hash: e89759654a0d1fde23a895f5f7f75fb687bdb549dfdda09aaccad638dfc857f6
              • Instruction Fuzzy Hash: 7801B1311602129BCF37EA1DC44493BBBB9FF51650B46446AE2555B2A2CB259C81CB91
              Function 011EC020 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction ID: 6e5b61aac75656227306e9190ca839a45989dcb00d32618b313d18a0e63d0ba9
              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction Fuzzy Hash: 3901B532110B4A9FEB3AD7A9D844BB77BE9FFE5610F058919E6468B540DE70E401C790
              Function 012320F0 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 73275e8aa0c3c70aaee6c25ada28410db8cb69a1fef49ff21b996486fe69fdb9
              • Instruction ID: 0ccc9b81ccad017db23cdac83f0e18fabbd4a4a370d02f933dd72e69bfde446c
              • Opcode Fuzzy Hash: 73275e8aa0c3c70aaee6c25ada28410db8cb69a1fef49ff21b996486fe69fdb9
              • Instruction Fuzzy Hash: 80116D75A1024EEFCB05EF64D951FAE7BB9FB84240F004099EA019B291D635EE11CB90
              Function 0122E5CF Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 28506f3636697df06ed486673e5429d681b8d5af86380c3ada2f26c96319d477
              • Instruction ID: 11aea77feabd022ce76443c0aa191ff8dd50cabfe54b8f6436b7938f382de015
              • Opcode Fuzzy Hash: 28506f3636697df06ed486673e5429d681b8d5af86380c3ada2f26c96319d477
              • Instruction Fuzzy Hash: 7401D4B1221912BFC712AB29CD84E67BBACFB54654B000626B20583592DB34EC41C6A0
              Function 012869C0 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2188b5680afb044ba94cca8a3b6081dd03d56469207b389b7994f5c5f123076d
              • Instruction ID: bf6be264881edd955c15d10404fc7cf3b42af0768b9edca1c7e81a3997168b31
              • Opcode Fuzzy Hash: 2188b5680afb044ba94cca8a3b6081dd03d56469207b389b7994f5c5f123076d
              • Instruction Fuzzy Hash: B201FC32235212DBC320EF69D849977FBA8FF94660F214629E959872C0E734D901C7D1
              Function 0127C460 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 103a36a6c805dde77b1229b7ab3ec19b828e55076db6fba5f6cea6ef53b110dd
              • Instruction ID: f14f233a7225423a827d66230170b06ac9f13d27fd5df280ba8d5293495d0ecc
              • Opcode Fuzzy Hash: 103a36a6c805dde77b1229b7ab3ec19b828e55076db6fba5f6cea6ef53b110dd
              • Instruction Fuzzy Hash: 39115B75A1024AEBDB15EF68C855EBE7BB5FB98240F004059B90197380DA34E921CB90
              Function 0127C97C Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b3fab95079cbb8dba206e5b58663c46698236762116c2f9cba6e498f2630c18b
              • Instruction ID: 8bae9d863f28c02158940dc29c0ee030e557520b7fe2432417135c1a328b4699
              • Opcode Fuzzy Hash: b3fab95079cbb8dba206e5b58663c46698236762116c2f9cba6e498f2630c18b
              • Instruction Fuzzy Hash: E51179B26283099FC700DF69D54296BBBE4FF98310F00491ABA98D7391E630E900CB92
              Function 0127CA11 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3dc74d77c71fb37ec102c00cfd9562d5356cdb89676530fe03273f5e95afb92e
              • Instruction ID: 51bf3ddc454dba69495a81608d5177ddc41c52d14fdb9490bbd09f6c9e9e7e9e
              • Opcode Fuzzy Hash: 3dc74d77c71fb37ec102c00cfd9562d5356cdb89676530fe03273f5e95afb92e
              • Instruction Fuzzy Hash: 20118EB16143059FC300DF69D44195BBBE4FF99350F00451EF958D7390E630E900CB92
              Function 012C4A80 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
              • Instruction ID: f628a7af07b4cabce55c94b63123f98e031f2806d5248cbdc90ed53cc12fbbdf
              • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
              • Instruction Fuzzy Hash: 540128332206469FE721EA5DC864FA3B7EAFBD1A00F044A1DE7428B650DAB0F840C754
              Function 0120E016 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction ID: 347ab6a1103eca2823d4a08a76bef250ee02f278cb719295b86f9665886b75e9
              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction Fuzzy Hash: 27019AB22205819FE727C71DC948F277BD9EF49754F0A08A1FA05DB6E2C668DC80C225
              Function 011E826B Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ad30e46a6ab5288bed46de8715b927a9999084508c0fe88a53a02006168b835e
              • Instruction ID: 309a430fd223d09ccb6bb2dcc9cc28139abea21e1c75fdc814d3bd2e400d6bba
              • Opcode Fuzzy Hash: ad30e46a6ab5288bed46de8715b927a9999084508c0fe88a53a02006168b835e
              • Instruction Fuzzy Hash: 6D01A232720906DBDB1CEBAAE9089BFB7E9FF90654B154069D902AB644DF30DD01C791
              Function 0129EB50 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: f9c8ac2ccc133a25893784cfe9fd319c6fe9572b7af68f995c39afd29fe59b5f
              • Instruction ID: bc9d74ea8d2146b08dc86059bd8ee70596b0cf397a6e7842c676009ffa8e5ad3
              • Opcode Fuzzy Hash: f9c8ac2ccc133a25893784cfe9fd319c6fe9572b7af68f995c39afd29fe59b5f
              • Instruction Fuzzy Hash: EF01A2B12A0701AFD7369B1DE855F12BBE8EF55B50F02442AF3069F390D6B19881CB94
              Function 011F2582 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 499fe4aa9bda23a236a79e82e7f2e7698a87a12a5b29ade757d1cfe0b3a9a3b2
              • Instruction ID: ae284ec5bc8eee4d21a04975f1aa35716cab9c8f207e8fb23e2f138ba69564f0
              • Opcode Fuzzy Hash: 499fe4aa9bda23a236a79e82e7f2e7698a87a12a5b29ade757d1cfe0b3a9a3b2
              • Instruction Fuzzy Hash: 87F0F432651A21BBC736DB5A8D54F57BAA9EB84B90F01802DA70697650DA30ED01CBA0
              Function 0121C073 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction ID: 58d9b8bb1996f7d01547cca0dfe1025d83e4a10c548978247c67c99b38a24c30
              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction Fuzzy Hash: BAF0C2B2600A15ABD324CF4DDC40E67FBEADBD1A80F048168A645C7220EA31DD04CB90
              Function 011EC310 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction ID: f4d47b30d832db6fdd256ca36dfd2c3de3d8d79b2da5e1c2b9b2b7425f159005
              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction Fuzzy Hash: 9DF0FC33248E339BD73E56D94C48B3BE9D59FE1A64F1A0035E205DB240CB608D0157D1
              Function 012C634F Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c8636a0af6432296c89288f63697a261263095cc1ac86fe0c67ae339426b012
              • Instruction ID: 87070ac4ec1cfcdd62e6c2301b0294a232c1dde6a3fca06fff8c69d7bc1e7d0c
              • Opcode Fuzzy Hash: 6c8636a0af6432296c89288f63697a261263095cc1ac86fe0c67ae339426b012
              • Instruction Fuzzy Hash: F2014471A2024AEFDB04DFA9D5519AEB7F8FF58704F10405AFA04E7351D674DA018BA4
              Function 012C625D Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 092b81ed4dc44122116dbc783f4a274198edf28d2dc54dfb8f5198674e9e6944
              • Instruction ID: fa5c7044283dbeb7533eb0a9732cec7243539cd891af77bf7ed4bb2f67f2e593
              • Opcode Fuzzy Hash: 092b81ed4dc44122116dbc783f4a274198edf28d2dc54dfb8f5198674e9e6944
              • Instruction Fuzzy Hash: 46018471A1020AEFCB04DFA9D4419AEB7F8FF58704F10405AFA00E7351D674DA00CBA0
              Function 012C62D6 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ad85f263d957530313a6640c8aecf92f6706b1ccb5617be348f45b7f7803056e
              • Instruction ID: 6e79fd41f6dcc448620e727220b58b97827eda175958ba3a878eec2b531a89a6
              • Opcode Fuzzy Hash: ad85f263d957530313a6640c8aecf92f6706b1ccb5617be348f45b7f7803056e
              • Instruction Fuzzy Hash: CC0184B1A1024AEFCB00DFA9D4419AEB7F8FF58704F50405AFA00E7391D674DE008BA0
              Function 0122CA6F Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
              • Instruction ID: a5f6c8359891d562a24e37711e1bcf52da877bda91ecfbd463f8785c9ddaeee1
              • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
              • Instruction Fuzzy Hash: 0001D132224686ABD736DA1DC805B6DBB9CFF51750F0840A5FB048B6E2D6B8C850C255
              Function 012C61E5 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8b7f48acfa61a545740fc0f61c5fedf3f302b6f2ed9a02307738eb1202f5ca8c
              • Instruction ID: bed2d8042c53671ddb54aaf32504d29f0a327cce66a7a288de0acde240889010
              • Opcode Fuzzy Hash: 8b7f48acfa61a545740fc0f61c5fedf3f302b6f2ed9a02307738eb1202f5ca8c
              • Instruction Fuzzy Hash: F7018F71A102499FCB00DFA9D445AEEBBF8BF58710F14006AE504AB380D774EA01CB95
              Function 012763C0 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction ID: abc50083f99925be8acba1d25ac961db59f9ba31558a6a99ff51759cafd38fe3
              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction Fuzzy Hash: EFF01D7221001DBFEF029F94DD80DBF7BBEFB59298B104125FA11A2160D631DD21ABA0
              Function 0127A4B0 Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3ae82fcb0bc610e13ba60e8ebe8ef4bdeafb74fd60b47194a4936ce6a01a0304
              • Instruction ID: 8d2ed52c58013ee66ff3d24918957bdc25a5717205f8dfbbcab52f9ca126cea9
              • Opcode Fuzzy Hash: 3ae82fcb0bc610e13ba60e8ebe8ef4bdeafb74fd60b47194a4936ce6a01a0304
              • Instruction Fuzzy Hash: E7018936520109ABCF129F84E844EDE3FA6FB4C764F098105FE186A260C332D970EB81
              Function 011EC0F0 Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c65d1fc82cadc288539f1f852a451d8e2e8e6d9a1a4f5364f42cc22158736ddc
              • Instruction ID: 68468e4bd2fedf4a1093c866e92671b775d611635f553006e5dfa207b5251feb
              • Opcode Fuzzy Hash: c65d1fc82cadc288539f1f852a451d8e2e8e6d9a1a4f5364f42cc22158736ddc
              • Instruction Fuzzy Hash: 07F0F0712146419BF22C97998D05B3232D6E7E0A50F26806AEB058B2C1EBB1DC0186D5
              Function 0122656A Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e19b9cf0c79fe6c38c3e75aa3c4391f37d3542fcf93517639375944ab3cbfa6b
              • Instruction ID: d39a0490018e8643b1699f876213bcd8fdf3f445a9d886687743f0c5fc300df8
              • Opcode Fuzzy Hash: e19b9cf0c79fe6c38c3e75aa3c4391f37d3542fcf93517639375944ab3cbfa6b
              • Instruction Fuzzy Hash: CF018171230AC6EFE333A72CDD48B2937A9BB50B04F580290FA418B6D6D768D4918214
              Function 0129437C Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction ID: e85c7e9ccbe2b46aa8c09b645edb1606169f36fb4a6c0fc44ff1da9eb891737e
              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction Fuzzy Hash: 25F0E93137199347EF36BB3E8510B3EAA959F90A01B25452C9B45CB680DF60DC42C784
              Function 0127E872 Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
              • Instruction ID: 6e22de5731525e167ae7f900159ae6ae3496a91557b0095909d26aab2d8613dd
              • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
              • Instruction Fuzzy Hash: B9F05E32731A129FE3219A4ECC80F17B7A8AFD5A60F1A01A5A7149B270C770EC0187E0
              Function 0127C89D Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fda4c2bac12c886ed4d9c132634f049e1cef6572f0fcc3222166e86eeb6fe8b2
              • Instruction ID: b977512d067284ac00f0bc5bc46a5a56617416299f60a09d8a1e8cfb37f9923b
              • Opcode Fuzzy Hash: fda4c2bac12c886ed4d9c132634f049e1cef6572f0fcc3222166e86eeb6fe8b2
              • Instruction Fuzzy Hash: F9F0C2B06253459FC310EF38C546A2BB7E4FF98710F40465AB898DB390E634EA00C796
              Function 01220854 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
              • Instruction ID: e0cd479d1566968fbfdc7827b5cd65e87f7db3c405e083c9919ed19d311d0212
              • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
              • Instruction Fuzzy Hash: E5F02472620204AFE314DB22CC05F5BB6E9EF98300F148078EA44C72A0FAF4DD00C658
              Function 0127C912 Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 39ffee3d53cb033169f199e82b9a8e585e8b0411f65ec9fc93a36f70081c8a09
              • Instruction ID: c8c5a2f087ca1b68096aa0de4ea462c275bd36c8071234f71bcdfe9896aa37d7
              • Opcode Fuzzy Hash: 39ffee3d53cb033169f199e82b9a8e585e8b0411f65ec9fc93a36f70081c8a09
              • Instruction Fuzzy Hash: BFF06270A1124AEFCB04EF69D515A6EB7F4FF58300F008055B955EB385DA78EA01CB54
              Function 011F47FB Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8fd584ee4fa8907f2629a23bf7743a7a19afdc2e11f64cf2ffb7d2a79affccb2
              • Instruction ID: 7d156640a39014119152dad4c8c6d69e64d9627c986b4dc8a0f6f03a3ceb8432
              • Opcode Fuzzy Hash: 8fd584ee4fa8907f2629a23bf7743a7a19afdc2e11f64cf2ffb7d2a79affccb2
              • Instruction Fuzzy Hash: FBF02E319122E09FE73ACBECC404B73BBC49B00A30F09896EC78983D62C324D880C681
              Function 012B0115 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 119b1f0355386fa1719242cf4c7e5b1075fd98199163b7fa18499a35d816df2a
              • Instruction ID: 4f4b165f377d2dbe93e9c4ffa3372923df83b75cfde4f3b56ac037684f1d7acf
              • Opcode Fuzzy Hash: 119b1f0355386fa1719242cf4c7e5b1075fd98199163b7fa18499a35d816df2a
              • Instruction Fuzzy Hash: 83F027764356C20BCB376B2C74D83E62BB5A761360F491085D5A15B206C5789483C728
              Function 0122C5ED Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 55d9bc4b164e0898736d563dd2db9805d051a3aa1f8514430991a903581b5214
              • Instruction ID: 18b006384fa4eab4974686e77a519c9f760e988f5eda2ff79ced7968b514bb21
              • Opcode Fuzzy Hash: 55d9bc4b164e0898736d563dd2db9805d051a3aa1f8514430991a903581b5214
              • Instruction Fuzzy Hash: 05F0E9719715B3BFD332971CC144B3D77D49BC0F64F099525D6158B653C3A4E860CA51
              Function 01232619 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction ID: 3e741c80b135866f29cc8506dbabbc5590eeea7ffd415f9591dd5530a65268e1
              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction Fuzzy Hash: 1DE0D8723106016BE7129E598CC4F67776EDFD2B10F04007DB6045F292C9E2DC0986A4
              Function 01286030 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
              • Instruction ID: 6d36ac89dfd1d7b2082e7ccf7f413ff8534db868a72b48bb511d49c40809c85d
              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
              • Instruction Fuzzy Hash: 45F030721252049FE3219F09D944F62B7F9FB05364F45C025E7099B5A1D37AEC41CBA8
              Function 011F0710 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction ID: 3ab6dad124e5284385167701060c822ad65d76316e58f32dc4c178c0e079e008
              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction Fuzzy Hash: 3DF0E539214B41DFEB1ECF19C040AA57BA5FB55350B010199FA828B342E735E981CB95
              Function 012249D0 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
              • Instruction ID: 35cd0db9dad82ef63462dd50d59947301e77ad3c596f3129dc2a134440e013f8
              • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
              • Instruction Fuzzy Hash: FBE0D8322741D6BBD3213A598821F7E77A5DBD87A0F150429E3408B150DBB0EC40C7D8
              Function 012C4164 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e6157aac02f903fbcafc96e6e824b5d0429e2b578e4053b76af09121f943a615
              • Instruction ID: 1fa75450a31c6aa4a7c13407b02acf4c8bb9e77a750068df67f949b219711a3f
              • Opcode Fuzzy Hash: e6157aac02f903fbcafc96e6e824b5d0429e2b578e4053b76af09121f943a615
              • Instruction Fuzzy Hash: 25F0E531A355D28FE772E72CD260B5377E0ABA0E30F0A075CD68087952C3A0DC40C650
              Function 0129678E Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
              • Instruction ID: cf0848cf7ff38049c9bc0ecaf5ef794e0f1680e1750e143e14122bd8f064474a
              • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
              • Instruction Fuzzy Hash: 14E0DF32A50124FBEF22A7998D05FAEBEADDB90EA0F050054B700E71D0E530DE00C690
              Function 012C08C0 Relevance: .0, Instructions: 25COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
              • Instruction ID: e68edfa6107e8dbf4248dc06129973d5764c54b726512dcb1905af15be6ba1ad
              • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
              • Instruction Fuzzy Hash: BBE09B35650351CBCB258A1DC141A63B7ECDF95A60F15C36DEF0947613C272F852C6D4
              Function 011F25E0 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a236b081c575f279307b7206c5982209a36782d0cf7b0d519a4c384d295598a2
              • Instruction ID: 5a3c3073cd2328641ca8dc57d83de9a15ffd9ec3aca880033709c342fa9366c4
              • Opcode Fuzzy Hash: a236b081c575f279307b7206c5982209a36782d0cf7b0d519a4c384d295598a2
              • Instruction Fuzzy Hash: 58E092721109549BC726FB29DD01F9B779AFBA4374F014519F11557590CB34A810C784
              Function 012AA456 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
              • Instruction ID: da12c9a1df494d370c0476129a96a3bb95354aa236c4de40458def12164703c2
              • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
              • Instruction Fuzzy Hash: CDE01231030A52DFE7366F2AD948B667AE1FF50711F558C2DE196124B0C77598D1CA40
              Function 01274000 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction ID: dc4e72461e0d8ed97ac8a529bd0e723f09a782f2d7a4b559a4422757bbdc2eae
              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction Fuzzy Hash: 38E0C2343103468FE71ADF19C040B677BB6BFD5A10F28C068AA488F205EB32E842CB40
              Function 0122CA38 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7d45442cdb2d17210f04923cac5b5a75eb1c35bd1dd9ab046191e5a542242782
              • Instruction ID: 65e6e59ff0090b25dbaae8a24c7c4ef0d6d6a0b40d173ab81b37af43125376bb
              • Opcode Fuzzy Hash: 7d45442cdb2d17210f04923cac5b5a75eb1c35bd1dd9ab046191e5a542242782
              • Instruction Fuzzy Hash: DED02B329B10317ACF36F9197C08FEF3A9D9B50360F014861F20892011D564CCD186D4
              Function 011E823B Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction ID: a38776e928a492862cd04c29d4cfa970e196476e95b9035ebcff31b5ed38f433
              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction Fuzzy Hash: F1E0C231060E22EFDB3E2F59DC04F6176F6FF94B10F214929E081064A48770AC81DB45
              Function 011F2050 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6a9beb93ae6b243b602407eaa30a0fda461df59f7216651fd93d9a0eaba554e7
              • Instruction ID: 52e068286d01ef2eeb450b9157a0b74c17f9f5b8edddd352099f39785b50c764
              • Opcode Fuzzy Hash: 6a9beb93ae6b243b602407eaa30a0fda461df59f7216651fd93d9a0eaba554e7
              • Instruction Fuzzy Hash: A3E08C322104506BC716FA5DED00E5A739AEBA5274F000225F2508B6D4CB24AC01C794
              Function 01246AA4 Relevance: .0, Instructions: 17COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
              • Instruction ID: 44ad5e5a953b08d81b99287e93b5b6391d391379a278b6de6b79ea423dff5dc2
              • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
              • Instruction Fuzzy Hash: 5BD05E36521E50AFC3329F1BEA00C13BBF9FBC5A10705062EE54583920C670A806CBA0
              Function 0122E59C Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction ID: 9a5bd57d0222d83bfe1d9f8f7c277bba33f6138fe6cecbe2f384eb06666b2b22
              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction Fuzzy Hash: 07D0A932224A20AFDB32AA1CFC00FD333E8BB88B24F060459F008C7091C760AC81CA84
              Function 0126E908 Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
              • Instruction ID: 5b16ae9395bbf7312cdf4a692b13df6ea17f30dafcae37ff1d2def89523e36be
              • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
              • Instruction Fuzzy Hash: 6EE0EC359616859FDF16EF59C640F5ABBB9BF94B40F160058A2085B6A1C634A940CB40
              Function 011EA0E3 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction ID: 308ce35392a772c7ec09aafb790470a0cbeb3bc5ae880004118a7760ec6dad98
              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction Fuzzy Hash: 48D0223232283097CB2D97957808F636D49AF80A94F0A002C740AD3800C2048C82C2E0
              Function 0122A830 Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
              • Instruction ID: 964debe26742c0507c4ed082d3336d844ec8507e0276443cafba93298562c9ff
              • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
              • Instruction Fuzzy Hash: D2D012371E054DBBCB12DF66DC01FA57BA9E764BA0F444120F504C75A1C63AE950D684
              Function 0122CA24 Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 60d4f7aee5a701bec979adedb7667f38d575b2810a80ac355501fa0e86040b00
              • Instruction ID: d45de23b965b76e48070527ed570b0c7852bda4a65c52c3ba00a193b6a1d3a43
              • Opcode Fuzzy Hash: 60d4f7aee5a701bec979adedb7667f38d575b2810a80ac355501fa0e86040b00
              • Instruction Fuzzy Hash: E1D0A930672612EFDF2BCF08CA10E3E3AB8FB20640F40006CE740AA460E368DC11CB00
              Function 012002A0 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction ID: c0c41de2ce999bc10be0bb1b4d31e8dc04fd3a38c8dd101fdbd214a5813cbcfa
              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction Fuzzy Hash: DFD0C935222E81CFE71BCB1DC5A4B1573B4BB84B84F810590F501CBB62E67CD980CA04
              Function 0122C700 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction ID: a9ded401fa01821bb9f496185ab61c9ffb332893b042d3ad3000aca473e10438
              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction Fuzzy Hash: 88C01232150644AFC712DA95CD01F1177A9E798B40F000021F20487571C531E810D644
              Function 01210310 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction ID: 1d2c912b9c2f839c938afbc084a8a1466aeac3ead4fa34c61bd3076bf93b68e7
              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction Fuzzy Hash: ECD01236110248EFCB01DF41C890DAB777AFBD8710F108019FD190B6108A31ED62DA50
              Function 011F0750 Relevance: .0, Instructions: 9COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction ID: 74757cfc34c9899d2b670cc4430c6c214bb8fe983cdcde81e199a474ac770014
              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction Fuzzy Hash: 6EC04879B21A428FDF1ADB2AD294F5977E4FB54B40F160890E945CBB22E628E801CA10
              Function 01234340 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 673a04c97dbee2738effd519c46d7c704e05c8c0f6c253e38d9baadbea33d839
              • Instruction ID: 18ce3cdfb10adf242894a4024083abe653a86cade5fbc0deab2c3e0930c7df12
              • Opcode Fuzzy Hash: 673a04c97dbee2738effd519c46d7c704e05c8c0f6c253e38d9baadbea33d839
              • Instruction Fuzzy Hash: C7900231625810139144719848845464005A7E0301B55C011E1424554CCA548A565361
              Function 01234650 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9f8746b867d39c06258b86b58280cd7ecc8a5bd0bc0c00a1b100a45c24c59314
              • Instruction ID: 8982bc9332095d4589c3bdcc7e02cfad2447628fcafacead92190779aeb00d6d
              • Opcode Fuzzy Hash: 9f8746b867d39c06258b86b58280cd7ecc8a5bd0bc0c00a1b100a45c24c59314
              • Instruction Fuzzy Hash: EF90047173151043414471DC4C044077005F7F13013D5C115F1554570CC75CCD55D37D
              Function 01232B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ca6b8078f31226de48166c261e2e881b4d4d3b77bc740f58ac71d831133e5665
              • Instruction ID: beee3dbf24edcb5b57e5d41a1da948c0803bdb2712a757e6d0bbff0bfd4b767a
              • Opcode Fuzzy Hash: ca6b8078f31226de48166c261e2e881b4d4d3b77bc740f58ac71d831133e5665
              • Instruction Fuzzy Hash: 0B90026122241003410971984414616400A97E0201B55C021E2014590DC56589916225
              Function 01232BA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 071d1869cf40e666a648e571711457a454cd6108c7f117c1670ee7369d1530a5
              • Instruction ID: f5586b1a4f721b4ea78d64ee843e4873dcd13e22f9e8eadbf1a71468baefdd27
              • Opcode Fuzzy Hash: 071d1869cf40e666a648e571711457a454cd6108c7f117c1670ee7369d1530a5
              • Instruction Fuzzy Hash: 9390023162541803D15471984414746000597D0301F55C011A1024654DC7958B5577A1
              Function 01232B80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c2be5b35582e506a3a977c666ec13f3367abe3492d26160cbc6073e1850ff378
              • Instruction ID: fdf1c2026250e3caebe79ff42cea52dc182d155b7eb37854b3470af2ce8fb5ca
              • Opcode Fuzzy Hash: c2be5b35582e506a3a977c666ec13f3367abe3492d26160cbc6073e1850ff378
              • Instruction Fuzzy Hash: F890023122141803D10871984804686000597D0301F55C011A7024655ED6A589917231
              Function 01232BE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2d9056276ec4376d90c94e4b7495fe51d1047b6f35b065bdd70f200a0f4bbed2
              • Instruction ID: cb8a084aa3a6fa52f00e10b24fd1757a032b3374b0658fd7c7bef9ee807af177
              • Opcode Fuzzy Hash: 2d9056276ec4376d90c94e4b7495fe51d1047b6f35b065bdd70f200a0f4bbed2
              • Instruction Fuzzy Hash: 7F90023122545843D14471984404A46001597D0305F55C011A1064694DD6658E55B761
              Function 01232BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 88eec7d13db5fa7fc8ead80004c108d3f12debea6cb3d0d25e6a9d358e866ad9
              • Instruction ID: 8abef100e198abfb3c74eb5fe76508da8a472a1c9c9a51526cc9358fc3d13f59
              • Opcode Fuzzy Hash: 88eec7d13db5fa7fc8ead80004c108d3f12debea6cb3d0d25e6a9d358e866ad9
              • Instruction Fuzzy Hash: 8F90023122141803D1847198440464A000597D1301F95C015A1025654DCA558B5977A1
              Function 01232AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0fc7db040f641b1b99f2f5187e32b646d4b98b364bf3d31eaee829caa83c80d4
              • Instruction ID: 84d98dbb70d365e37ae419c60ed89934c80c5eb459406ab4bed7e588075d119f
              • Opcode Fuzzy Hash: 0fc7db040f641b1b99f2f5187e32b646d4b98b364bf3d31eaee829caa83c80d4
              • Instruction Fuzzy Hash: EF9002A1221550934504B2988404B0A450597E0201B55C016E2054560CC56589519235
              Function 01232AF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 02a785bbfbccf5bf758adaf03955f3185bb357f4539a6dd6a1b1667adb5216c3
              • Instruction ID: 5682220b7d557ead32a99f3182a296eac75b24ad7aaa904de5de1290b2bac91e
              • Opcode Fuzzy Hash: 02a785bbfbccf5bf758adaf03955f3185bb357f4539a6dd6a1b1667adb5216c3
              • Instruction Fuzzy Hash: CD900225231410030149B598060450B0445A7D6351395C015F2416590CC66189655321
              Function 01232AD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cc9c0dc3cd8ec2c9306f9f1a2507b5d8c972fe2664137ecf3e901f405b9f0074
              • Instruction ID: bb2cb0d3c56174e2f7060b78c1ad5ce8c405ae263fd8d3c8f7bd33f744801a29
              • Opcode Fuzzy Hash: cc9c0dc3cd8ec2c9306f9f1a2507b5d8c972fe2664137ecf3e901f405b9f0074
              • Instruction Fuzzy Hash: D390043533141003010DF5DC07045070047D7D5351355C031F3015550CD771CD715331
              Function 01232D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5552e7ba5353edf6737255aa42245bfeddee2cbc7c96f90941a2fcbfb4f426b8
              • Instruction ID: 668229d97f5cfc96217de2982ecb4b038f7611f79191a9cdd4dbe4b5650c5d77
              • Opcode Fuzzy Hash: 5552e7ba5353edf6737255aa42245bfeddee2cbc7c96f90941a2fcbfb4f426b8
              • Instruction Fuzzy Hash: 5390043133141003D14471DC541C7074005F7F1301F55D011F1414554CDD55CD575333
              Function 01232D00 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c345a116ba64be65067ad77aadef679f026a9cdc22ff94a7e77ce316ce270c36
              • Instruction ID: 53ddb82d3db5ce18efbfa653aee0c73a9153def6241db8fa8f7e5088a125b7fd
              • Opcode Fuzzy Hash: c345a116ba64be65067ad77aadef679f026a9cdc22ff94a7e77ce316ce270c36
              • Instruction Fuzzy Hash: 8D90022122545443D10475985408A06000597D0205F55D011A2064595DC6758951A231
              Function 01232D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7ff776d2b0fac6df35c70088951da44858a233d4e74a5d6d357196ef942c66f5
              • Instruction ID: 7ba20bd7cd9aa75040ada4805053d521ed2b38de09dbb4d041e98fdc0ebdbda6
              • Opcode Fuzzy Hash: 7ff776d2b0fac6df35c70088951da44858a233d4e74a5d6d357196ef942c66f5
              • Instruction Fuzzy Hash: F790022923341003D1847198540860A000597D1202F95D415A1015558CC95589695321
              Function 01232DB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 222b66d7a37641793cb79051e14c877dd79074768b622a0f4f4e673cfb9134d8
              • Instruction ID: aed00ba5a0f451eb663e53eb53ba0b7619530a05852776b9b279bae8c8ba963d
              • Opcode Fuzzy Hash: 222b66d7a37641793cb79051e14c877dd79074768b622a0f4f4e673cfb9134d8
              • Instruction Fuzzy Hash: C790023126141403D145719844046060009A7D0241F95C012A1424554EC6958B56AB61
              Function 01232DD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d9daed0c083e4e0c67330030f09c9e80ab5dc27bf194f80bdddfca030aeae835
              • Instruction ID: 34f69020e93b08474acbb94385e58c0cd3fab977f7f5b15d71893e7aea2657a5
              • Opcode Fuzzy Hash: d9daed0c083e4e0c67330030f09c9e80ab5dc27bf194f80bdddfca030aeae835
              • Instruction Fuzzy Hash: D4900221262451535549B19844045074006A7E0241795C012A2414950CC5669956D721
              Function 01232C60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 93f2bc1d2c2ee06177cbab17f0a89a941af1edd8fe70d306133495bdea49cda0
              • Instruction ID: 43e490c722ed8ca4f01afc1040deb540b58a75cda969865edbe35f2f37792878
              • Opcode Fuzzy Hash: 93f2bc1d2c2ee06177cbab17f0a89a941af1edd8fe70d306133495bdea49cda0
              • Instruction Fuzzy Hash: 2D90023122141843D10471984404B46000597E0301F55C016A1124654DC655C9517621
              Function 01232CA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6107491bea9643edb5716527cd01eaae76fafce8005746f85eda8f06dd869825
              • Instruction ID: d23c4bc4724222561e549882f0b49cecf3fe77b9dd400d105d96f958c44b1530
              • Opcode Fuzzy Hash: 6107491bea9643edb5716527cd01eaae76fafce8005746f85eda8f06dd869825
              • Instruction Fuzzy Hash: 7290023122141403D10475D85408646000597E0301F55D011A6024555EC6A589916231
              Function 01232CF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e61780e03ac19680464d3830fa94c3a9ef0643c216f33a0a37d8bacd05537f1c
              • Instruction ID: 81ebf9a8b85e6c4422e7b0368b3fb39cbac7a8b5ab92726a3d64c40b17816465
              • Opcode Fuzzy Hash: e61780e03ac19680464d3830fa94c3a9ef0643c216f33a0a37d8bacd05537f1c
              • Instruction Fuzzy Hash: 7590043133141403D10471DC550C7070005D7D0301F55D411F143455CDD7D7CD517331
              Function 01232CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ad6468e91f99c624dbd5f18f57f6f0006cdab9fdbe281ced2826e1805527c001
              • Instruction ID: 3542633d62e6a280508d19581e12cc6c3f014478d774195f30d4b82d0a321081
              • Opcode Fuzzy Hash: ad6468e91f99c624dbd5f18f57f6f0006cdab9fdbe281ced2826e1805527c001
              • Instruction Fuzzy Hash: F290022162541403D14471985418706001597D0201F55D011A1024554DC6998B5567A1
              Function 01232F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: be3e1caa81b7fbf3f6676b95140b378d9ff37bc96faf943d1746adc0156b3e2f
              • Instruction ID: 90d9c31d349f7c583ea8cc49a57c7392fbc45ddb1252af9ee7d96c08d71a1db1
              • Opcode Fuzzy Hash: be3e1caa81b7fbf3f6676b95140b378d9ff37bc96faf943d1746adc0156b3e2f
              • Instruction Fuzzy Hash: 8F90026136141443D10471984414B060005D7E1301F55C015E2064554DC659CD526226
              Function 01232F60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 95c2cdeaa25c60305baa7f4ba81671c4fc83a11af8d3698f9543c0294100d703
              • Instruction ID: a21ad20c1e2bb34c48a5b0d9658f55f92271e07ca4854a7e8f747f46e0a865ff
              • Opcode Fuzzy Hash: 95c2cdeaa25c60305baa7f4ba81671c4fc83a11af8d3698f9543c0294100d703
              • Instruction Fuzzy Hash: AA90047133141043D10C71DC44047070045D7F1301F55C013F3154554CC57DCD715335
              Function 01232FA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d239242bfe1b0c5a8c233b1636a942cf20caf42ecb9655fa71fb93c0c56264d8
              • Instruction ID: fc4b0c234aae5a6218b42dffa48c953ccdbfbf5c83e90623b4af6df6e7a3d816
              • Opcode Fuzzy Hash: d239242bfe1b0c5a8c233b1636a942cf20caf42ecb9655fa71fb93c0c56264d8
              • Instruction Fuzzy Hash: 9F90023122181403D10471984808747000597D0302F55C011A6164555EC6A5C9916631
              Function 01232FB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3b7bebfc0fa7c5fd9213686f03caab95fc521f7e7cccd0ebcaad190c87f06e75
              • Instruction ID: b8279d8fc0a128a918c6ef541ee9d5002504db184351e9f47bf00b73dffaac02
              • Opcode Fuzzy Hash: 3b7bebfc0fa7c5fd9213686f03caab95fc521f7e7cccd0ebcaad190c87f06e75
              • Instruction Fuzzy Hash: F190022162141043414471A888449064005BBE1211755C121A1998550DC59989655765
              Function 01232F90 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f4814fcf571ad0a1bedb5833ddf487ae2de9bb346b88aa8db8bb53510a8f2981
              • Instruction ID: abac0d72a78183850b937b3753a8b6ca16d5b89f37a047de992b440bf2bc9e16
              • Opcode Fuzzy Hash: f4814fcf571ad0a1bedb5833ddf487ae2de9bb346b88aa8db8bb53510a8f2981
              • Instruction Fuzzy Hash: 8890023122181403D1047198481470B000597D0302F55C011A2164555DC66589516671
              Function 01232FE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 68c058897bbbcf267cafa5162071abaf5ca376ed027bb8c6af1d68262db44b62
              • Instruction ID: b7bb573573aa5bbe2e0cfb5564797bc2fde09116d07d974197ba51cfa5da8640
              • Opcode Fuzzy Hash: 68c058897bbbcf267cafa5162071abaf5ca376ed027bb8c6af1d68262db44b62
              • Instruction Fuzzy Hash: 69900221231C1043D20475A84C14B07000597D0303F55C115A1154554CC95589615621
              Function 01232E30 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ed544a2051db88f479747abc2d7ec7ebc421ea8db3facc2bf605cd74e658a684
              • Instruction ID: 25824285a06eff0d8af5827f711b6d29a0a22f873e562c184c54d04b4466fc23
              • Opcode Fuzzy Hash: ed544a2051db88f479747abc2d7ec7ebc421ea8db3facc2bf605cd74e658a684
              • Instruction Fuzzy Hash: 7E90022132141403D106719844146060009D7D1345F95C012E2424555DC6658A53A232
              Function 01232EA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8c264a95c0c4f5ac9ea27b9212df0761f2695dbe0a06b82af9e5888788e8bc7e
              • Instruction ID: 3653a7bec992381ab9a55fe0773abdf5830e02285e40fafb7137050b40072187
              • Opcode Fuzzy Hash: 8c264a95c0c4f5ac9ea27b9212df0761f2695dbe0a06b82af9e5888788e8bc7e
              • Instruction Fuzzy Hash: BB90027122141403D14471984404746000597D0301F55C011A6064554EC6998ED56765
              Function 01232E80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 58bdb057d160e5597ee048c1af61c282527ff8d18a3779ba005d856b1ddf793b
              • Instruction ID: 9c49d8c5bbed84e81e682a9295f8777f59fd121842b50bef216d93e1d00bf7bf
              • Opcode Fuzzy Hash: 58bdb057d160e5597ee048c1af61c282527ff8d18a3779ba005d856b1ddf793b
              • Instruction Fuzzy Hash: 0C90022162141503D10571984404616000A97D0241F95C022A2024555ECA658A92A231
              Function 01232EE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 76a6956e9285fa5a33b0ec4a72f65c375bde16f29b9b022fa18e2503faf93035
              • Instruction ID: 5f8e08c0ec0a0f11357a4f4e59a46e6eccb3e87b857a6caa12803d2183d28ea2
              • Opcode Fuzzy Hash: 76a6956e9285fa5a33b0ec4a72f65c375bde16f29b9b022fa18e2503faf93035
              • Instruction Fuzzy Hash: 3B90026122181403D14475984804607000597D0302F55C011A3064555ECA698D516235
              Function 01233010 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 64009db31aeb7429070c5ee80a62c3b287c27598cf5d982a760908354b7842ef
              • Instruction ID: ee17f81e30284a1c9deaf010e3909e29dd21ac812faf1a7a41ffcfb098af5166
              • Opcode Fuzzy Hash: 64009db31aeb7429070c5ee80a62c3b287c27598cf5d982a760908354b7842ef
              • Instruction Fuzzy Hash: 4090022122185443D14472984804B0F410597E1202F95C019A5156554CC95589555721
              Function 01233090 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a05e161a858cd18a1481691c88e2d0b4a6d63ca55a680939dd775c26289302e0
              • Instruction ID: 564a71fa13a6c6d594f5947dd9aa469040a31a49e89154f615c5e82565b711de
              • Opcode Fuzzy Hash: a05e161a858cd18a1481691c88e2d0b4a6d63ca55a680939dd775c26289302e0
              • Instruction Fuzzy Hash: 0C90022126141803D144719884147070006D7D0601F55C011A1024554DC6568A6567B1
              Function 012339B0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9a06e0e89fc5c96a34884746406222b5c6cdea8cd013e26a6e7715d5c1ff4f5e
              • Instruction ID: b4e5df9d9e9bf803793fe79e3504ea716ff1153b6552efb26cff8651b208556a
              • Opcode Fuzzy Hash: 9a06e0e89fc5c96a34884746406222b5c6cdea8cd013e26a6e7715d5c1ff4f5e
              • Instruction Fuzzy Hash: 0690022126546103D154719C44046164005B7E0201F55C021A1814594DC59589556321
              Function 01233D10 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4603a5f2e27982b218d44a611f07a77d16b7b91c5ba49c6a4fe1f197a40577c2
              • Instruction ID: 3cfd3cb33cf147ae42fe49d3d995ac76526e8c071845dc80d8d76b73dfb76ccb
              • Opcode Fuzzy Hash: 4603a5f2e27982b218d44a611f07a77d16b7b91c5ba49c6a4fe1f197a40577c2
              • Instruction Fuzzy Hash: 1890023122241143954472985804A4E410597E1302B95D415A1015554CC95489615321
              Function 01233D70 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 534d79bbd02c3bc0149df2168550a81f8eb98cda015b748e1055c144053772de
              • Instruction ID: d8fef9c1e8f53634a39687361d2094ef14e2592eed2ab9646c851001b918b7cc
              • Opcode Fuzzy Hash: 534d79bbd02c3bc0149df2168550a81f8eb98cda015b748e1055c144053772de
              • Instruction Fuzzy Hash: C490023522141403D51471985804646004697D0301F55D411A1424558DC69489A1A221
              Function 01232C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction ID: 72974bda5c483b1983d79dda22c55965b1425bce52ffb0fe2b9d83352de3a95f
              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction Fuzzy Hash:
              Function 01232890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: 726263e8c2f2cce7bb3a857e81903cc346d053ccf9f19806e86afd55aa5cb111
              • Instruction ID: 09190166e94aebf9c0000c05e4adde8edcd50e4fda02f075fa7f631bea562c4c
              • Opcode Fuzzy Hash: 726263e8c2f2cce7bb3a857e81903cc346d053ccf9f19806e86afd55aa5cb111
              • Instruction Fuzzy Hash: 0751D4B6E20157FFCB15DF9C889097EFBB8BB882407148269E565E7641D374DE408BA0
              Function 012A2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: 35ebdee77db4a8ab4c80c70c8d46a9e42df6fc1bd6ab692cef7d0c9c68978a8f
              • Instruction ID: 39bb93b9f330f75a65584a9b7d98257394fd9374a50ca4b7ef290b7d4a63cfa3
              • Opcode Fuzzy Hash: 35ebdee77db4a8ab4c80c70c8d46a9e42df6fc1bd6ab692cef7d0c9c68978a8f
              • Instruction Fuzzy Hash: 10513871A20656EFCB38DF9CC89097FB7F9FB44300B848459E6D6D7641E6B0DA408B60
              Function 01227630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
              Download Yara Rule
              Strings
              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01264725
              • Execute=1, xrefs: 01264713
              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01264742
              • CLIENT(ntdll): Processing section info %ws..., xrefs: 01264787
              • ExecuteOptions, xrefs: 012646A0
              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01264655
              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 012646FC
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
              • API String ID: 0-484625025
              • Opcode ID: bdc7bca025387a8d7f75805b09098ce8e1e149e02440a7c343a23034e2dd0040
              • Instruction ID: 2bc9451298a3549c0eb65ce3b2fb01fd4b02f2d9d65b5e6e75bdfa8d8a023731
              • Opcode Fuzzy Hash: bdc7bca025387a8d7f75805b09098ce8e1e149e02440a7c343a23034e2dd0040
              • Instruction Fuzzy Hash: 1D511A7162422A7EEF25EBA9DC89FBE77ACAF24304F0400A9D605AB191D7709A458F50
              Function 012C6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
              • Instruction ID: 2999cc1afb137ea2a35c1c1a266a8cc90fc84c08bec8599edf7b778bd55a8aa6
              • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
              • Instruction Fuzzy Hash: 40020571528342AFD305CF28C494A6BBBE5EFD8B00F048A2DFA855B364DB71E945CB52
              Function 0123B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-$0$0
              • API String ID: 1302938615-699404926
              • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
              • Instruction ID: 5a4f74d3c431dd41bbb61750612a07bd8db56336ec5a8ba0000d925f546b970b
              • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
              • Instruction Fuzzy Hash: 9E81B2F1E2524A9EEF298E6CC8917FEBBB1EFC5310F18411ADA51A7292C7348841CB51
              Function 012A20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: %%%u$[$]:%u
              • API String ID: 48624451-2819853543
              • Opcode ID: f26c878b190b6ac7ee3923e2f2b437f56d51f11183b47fdaf0627552ed294f13
              • Instruction ID: b9f725711f98778c5458a74ecf5624870be4003cf248cb422635d36d1e42ec06
              • Opcode Fuzzy Hash: f26c878b190b6ac7ee3923e2f2b437f56d51f11183b47fdaf0627552ed294f13
              • Instruction Fuzzy Hash: DC21337AA2011AEBDB15DF69D844AFEBBF8AF54754F440116EA15E3201E730E9018BA1
              Function 0121F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
              Download Yara Rule
              Strings
              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 012602BD
              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 012602E7
              • RTL: Re-Waiting, xrefs: 0126031E
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
              • API String ID: 0-2474120054
              • Opcode ID: 2c6560b27a42aa547ec595e301a912fe37344dd87f016554a9d9829f3ef1e867
              • Instruction ID: 11b685026d1a1d2b5a2fe2dfe1114565f290179254d45656b82282c8057613e9
              • Opcode Fuzzy Hash: 2c6560b27a42aa547ec595e301a912fe37344dd87f016554a9d9829f3ef1e867
              • Instruction Fuzzy Hash: FEE1EE70628742DFD725CF28C985B2ABBE4BF94314F140A1DF6A58B2E1D774D849CB42
              Function 0122BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
              Download Yara Rule
              Strings
              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01267B7F
              • RTL: Resource at %p, xrefs: 01267B8E
              • RTL: Re-Waiting, xrefs: 01267BAC
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 0-871070163
              • Opcode ID: f0acbc4741bfacde668ff3eb8918aa93e5421515bd2f7ca888f4fba12ea471e7
              • Instruction ID: 119b5fec438812a4b5e71df324802fbcde6620035b93bdf95e36ee6464092f46
              • Opcode Fuzzy Hash: f0acbc4741bfacde668ff3eb8918aa93e5421515bd2f7ca888f4fba12ea471e7
              • Instruction Fuzzy Hash: 3B41E331324703AFD724DE29D841F6AB7E5EF98710F100A1DFA56DB280DB71E4458B91
              Function 0122B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0126728C
              Strings
              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01267294
              • RTL: Resource at %p, xrefs: 012672A3
              • RTL: Re-Waiting, xrefs: 012672C1
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 885266447-605551621
              • Opcode ID: 0e827750b266dd7380243d15bec292efacb8f893ed5f0cc506e863e5ce9c364d
              • Instruction ID: 3624b4f9573b1b68f5d5b9fefa07740d4e8ac161a029fbba7073bd144992cb8d
              • Opcode Fuzzy Hash: 0e827750b266dd7380243d15bec292efacb8f893ed5f0cc506e863e5ce9c364d
              • Instruction Fuzzy Hash: 1841FF31620213ABD721DE29DC81B6AB7A9FB94714F100619FE55AB280DB31F892CBD1
              Function 012A2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: %%%u$]:%u
              • API String ID: 48624451-3050659472
              • Opcode ID: bdd56c8c22802979e4da30ad188f558a6fd461cda15723a90a4c48888d7e7a76
              • Instruction ID: 6a6c0c74830c6c5e04bd9af880dc0e229fab4de0a5f379ebe6ac1d38210e9eb0
              • Opcode Fuzzy Hash: bdd56c8c22802979e4da30ad188f558a6fd461cda15723a90a4c48888d7e7a76
              • Instruction Fuzzy Hash: 89314172A2062ADFDB24DF29DC40BEA77E8EF55710F844556E949E7240EB309A448BA0
              Function 01237D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-
              • API String ID: 1302938615-2137968064
              • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
              • Instruction ID: 517fd566f74573688f39ec5e5208832b4fc7055ffe356dbf6ec415eac7700b74
              • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
              • Instruction Fuzzy Hash: F791A5F1E2021B9BEF24DF6DC8816BEBBA5BFC4720F14461AEA55E72C0D77089418761
              Function 011F9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1758837702.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011C0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_11c0000_MSBuild.jbxd
              Similarity
              • API ID:
              • String ID: $$@
              • API String ID: 0-1194432280
              • Opcode ID: c62813d96bd89bf1ac222e3c5c3aa9dc9368e6ea9885be5926e4decd628fb513
              • Instruction ID: b5509330e769ddbba0b7be69c2918b1688f4b7eebc75c15a976236c45bd3d1e2
              • Opcode Fuzzy Hash: c62813d96bd89bf1ac222e3c5c3aa9dc9368e6ea9885be5926e4decd628fb513
              • Instruction Fuzzy Hash: BB811B71D1026EDBDB35DB54CC44BEEB7B8AB48714F0041EAAA19B7280D7709E84CFA0