Edit tour

Windows Analysis Report
8bZMO28ywp.exe

Overview

General Information

Sample name:	8bZMO28ywp.exe renamed because original name is a hash value
Original sample name:	42661ea68d2293c67cb878d88257f7f2.exe
Analysis ID:	1483237
MD5:	42661ea68d2293c67cb878d88257f7f2
SHA1:	a63f14b94257e93f483fba2dc9c9338a4d487d99
SHA256:	8157fd69bd3a3259d7911729323d4fe91eb4745fdccf2b605787b956ffe8d1c2
Tags:	exeRedLineStealer
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected RedLine Stealer

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

8bZMO28ywp.exe (PID: 6840 cmdline: "C:\Users\user\Desktop\8bZMO28ywp.exe" MD5: 42661EA68D2293C67CB878D88257F7F2)

conhost.exe (PID: 2004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 4124 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["https://t.me/+J_Z1QGHfHko0MGZi*https://steamcommunity.com/id/elcadillac"], "Bot Id": "1464974140_99"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1713784547.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x268:$pat14: , CommandLine: 0x162dd:$v2_1: ListOfProcesses 0x160cb:$v4_3: base64str 0x16c8f:$v4_4: stringKey 0x146d1:$v4_5: BytesToStringConverted 0x12b71:$v4_6: FromBase64 0x14cd0:$v4_8: procName 0x144ce:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 8bZMO28ywp.exe PID: 6840	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MSBuild.exe PID: 4124	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 4124	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.8bZMO28ywp.exe.6ce8b000.4.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.8bZMO28ywp.exe.6ce8b000.4.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x144dd:$v2_1: ListOfProcesses 0x142cb:$v4_3: base64str 0x14e8f:$v4_4: stringKey 0x128d1:$v4_5: BytesToStringConverted 0x10d71:$v4_6: FromBase64 0x12ed0:$v4_8: procName 0x126ce:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.8bZMO28ywp.exe.6ce8b000.4.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.8bZMO28ywp.exe.6ce8b000.4.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x268:$pat14: , CommandLine: 0x162dd:$v2_1: ListOfProcesses 0x160cb:$v4_3: base64str 0x16c8f:$v4_4: stringKey 0x146d1:$v4_5: BytesToStringConverted 0x12b71:$v4_6: FromBase64 0x14cd0:$v4_8: procName 0x144ce:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
2.2.MSBuild.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.MSBuild.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x268:$pat14: , CommandLine: 0x162dd:$v2_1: ListOfProcesses 0x160cb:$v4_3: base64str 0x16c8f:$v4_4: stringKey 0x146d1:$v4_5: BytesToStringConverted 0x12b71:$v4_6: FromBase64 0x14cd0:$v4_8: procName 0x144ce:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.8bZMO28ywp.exe.6ce60000.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.8bZMO28ywp.exe.6ce60000.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x24058:$s5: delete[] 0x29c68:$pat14: , CommandLine: 0x3fcdd:$v2_1: ListOfProcesses 0x3facb:$v4_3: base64str 0x4068f:$v4_4: stringKey 0x3e0d1:$v4_5: BytesToStringConverted 0x3c571:$v4_6: FromBase64 0x3e6d0:$v4_8: procName 0x3dece:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 149.154.167.99, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 4124, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET WORM Potential MySQL bot scanning for SQL server - Source IP: 192.168.2.4 - Destination IP: 157.90.30.125

Timestamp:	2024-07-26T21:56:55.840440+0200
SID:	2001689
Source Port:	49731
Destination Port:	3306
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE MetaStealer Activity (Response) - Source IP: 157.90.30.125 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T21:56:57.091193+0200
SID:	2049282
Source Port:	3306
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer/MetaStealer Family TCP CnC Activity - MSValue (Outbound) - Source IP: 192.168.2.4 - Destination IP: 157.90.30.125

Timestamp:	2024-07-26T21:56:56.637010+0200
SID:	2046105
Source Port:	49731
Destination Port:	3306
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer/MetaStealer Family TCP CnC Activity - MSValue (Outbound) - Source IP: 192.168.2.4 - Destination IP: 157.90.30.125

Timestamp:	2024-07-26T21:56:56.885526+0200
SID:	2046105
Source Port:	49731
Destination Port:	3306
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 8bZMO28ywp.exe

Avira: detected

Found malware configuration

Source: 0.2.8bZMO28ywp.exe.6ce8b000.4.raw.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["https://t.me/+J_Z1QGHfHko0MGZi*https://steamcommunity.com/id/elcadillac"], "Bot Id": "1464974140_99"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\d3d9.dll

ReversingLabs: Detection: 70%

Multi AV Scanner detection for submitted file

Source: 8bZMO28ywp.exe

ReversingLabs: Detection: 79%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\d3d9.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 8bZMO28ywp.exe

Joe Sandbox ML: detected

Source: 8bZMO28ywp.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: 8bZMO28ywp.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mscorlib.pdb source: MSBuild.exe, 00000002.00000002.1726345634.0000000006565000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.1726345634.0000000006565000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000002.00000002.1723609289.000000000573A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb0: source: MSBuild.exe, 00000002.00000002.1714851063.0000000001050000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.1723609289.000000000573A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.1723609289.00000000056E7000.00000004.00000020.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://t.me/+J_Z1QGHfHko0MGZi*https://steamcommunity.com/id/elcadillac

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 157.90.30.125:3306

Source: global traffic

HTTP traffic detected: GET /+J_Z1QGHfHko0MGZi HTTP/1.1Host: t.meConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: Joe Sandbox View

ASN Name: TELEGRAMRU TELEGRAMRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /+J_Z1QGHfHko0MGZi HTTP/1.1Host: t.meConnection: Keep-Alive

Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: 8bZMO28ywp.exe	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: 8bZMO28ywp.exe, 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmp, MSBuild.exe, 00000002.00000002.1713784547.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: token_servicegIndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: up.nexgor.top

Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Contract/MSValue1
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Contract/MSValue1Response
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Contract/MSValue1ResponseD
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Contract/MSValue2
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Contract/MSValue2Response
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Contract/MSValue2ResponseD
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Contract/MSValue3
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Contract/MSValue3Response
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Contract/MSValue3ResponseD
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000003147000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: 8bZMO28ywp.exe, 8bZMO28ywp.exe, 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmp, MSBuild.exe, 00000002.00000002.1713784547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me
Source: MSBuild.exe, 00000002.00000002.1715957975.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.8bZMO28ywp.exe.6ce8b000.4.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.8bZMO28ywp.exe.6ce8b000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.8bZMO28ywp.exe.6ce60000.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

.NET source code contains very large array initializations

Source: 8bZMO28ywp.exe, -Module-.cs

Large array initialization: _206B_200B_200F_206E_202D_202D_202A_206E_200D_206B_206A_206F_206A_206F_200F_202E_202A_206C_200D_200F_200B_200B_200F_206A_202A_202A_202C_202B_202A_200B_206C_200B_206A_200C_202C_202C_206B_206B_206A_206F_202E: array initializer size 37536

Source: C:\Users\user\Desktop\8bZMO28ywp.exe

Code function: 0_2_6CE686E0 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,

0_2_6CE686E0

Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_6CE68C00	0_2_6CE68C00
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_6CE686E0	0_2_6CE686E0
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_6CE61210	0_2_6CE61210
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_6CE831C5	0_2_6CE831C5
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_6CE775B0	0_2_6CE775B0
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_014B1010	0_2_014B1010
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_014B3A98	0_2_014B3A98
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_014B2420	0_2_014B2420
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_014B0969	0_2_014B0969
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_014B09C6	0_2_014B09C6
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_014B08DF	0_2_014B08DF
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_014B2330	0_2_014B2330
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_014B0BD4	0_2_014B0BD4
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_014B0B9D	0_2_014B0B9D
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_014B0ACD	0_2_014B0ACD
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_014B0ADD	0_2_014B0ADD
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_014B22F4	0_2_014B22F4
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_014B3AB9	0_2_014B3AB9
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_014B0AB4	0_2_014B0AB4
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_014B0D74	0_2_014B0D74
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_014B0D17	0_2_014B0D17
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_014B0C69	0_2_014B0C69
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_014B0C04	0_2_014B0C04
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_014B0CF7	0_2_014B0CF7
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_014B0CA0	0_2_014B0CA0
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_014B0F1C	0_2_014B0F1C
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_014B0E46	0_2_014B0E46
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_014B36A0	0_2_014B36A0
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_0AF035E0	0_2_0AF035E0
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_0AF02300	0_2_0AF02300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_01204418	2_2_01204418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_01200A10	2_2_01200A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_01204CE8	2_2_01204CE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_012040D0	2_2_012040D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_012009FF	2_2_012009FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_06493090	2_2_06493090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_064930A0	2_2_064930A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_064D67F4	2_2_064D67F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_064DC580	2_2_064DC580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_064D22A0	2_2_064D22A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_064D9068	2_2_064D9068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_064D67F4	2_2_064D67F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_064D67F4	2_2_064D67F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_06508221	2_2_06508221
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_06500040	2_2_06500040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0650001D	2_2_0650001D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_065029A0	2_2_065029A0

Source: C:\Users\user\Desktop\8bZMO28ywp.exe

Code function: String function: 6CE78740 appears 33 times

Source: 8bZMO28ywp.exe	Binary or memory string: OriginalFilename vs 8bZMO28ywp.exe
Source: 8bZMO28ywp.exe, 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameRadiogram.exe" vs 8bZMO28ywp.exe
Source: 8bZMO28ywp.exe, 00000000.00000002.1648019945.000000000152E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 8bZMO28ywp.exe
Source: 8bZMO28ywp.exe, 00000000.00000000.1643628332.0000000000E4E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHannah757Zane.txtL vs 8bZMO28ywp.exe
Source: 8bZMO28ywp.exe	Binary or memory string: OriginalFilenameHannah757Zane.txtL vs 8bZMO28ywp.exe

Source: 8bZMO28ywp.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.8bZMO28ywp.exe.6ce8b000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.8bZMO28ywp.exe.6ce8b000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.8bZMO28ywp.exe.6ce60000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: 0.2.8bZMO28ywp.exe.6ce8b000.4.raw.unpack, Arguments.cs

Base64 encoded string: 'NSA7VwQhI1EYEVBXKwRfCxgRHSw/WAEfAT0NLj0CBhU2EispNVgeFx8FAVcDISwdGwFREQRaPAsNP1gNBVtfEzA/XBcDIQUSDVpQEytbAgwYWj8UPlsoDDU/ERQ+PiNa'

Source: MSBuild.exe, 00000002.00000002.1726345634.0000000006565000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: MSBuild.exe, 00000002.00000002.1723609289.00000000056E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/3@2/2

Source: C:\Users\user\Desktop\8bZMO28ywp.exe

File created: C:\Users\user\AppData\Roaming\d3d9.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2004:120:WilError_03

Source: 8bZMO28ywp.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 8bZMO28ywp.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\8bZMO28ywp.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 8bZMO28ywp.exe

ReversingLabs: Detection: 79%

Source: unknown	Process created: C:\Users\user\Desktop\8bZMO28ywp.exe "C:\Users\user\Desktop\8bZMO28ywp.exe"
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\8bZMO28ywp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: 8bZMO28ywp.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 8bZMO28ywp.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mscorlib.pdb source: MSBuild.exe, 00000002.00000002.1726345634.0000000006565000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.1726345634.0000000006565000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000002.00000002.1723609289.000000000573A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb0: source: MSBuild.exe, 00000002.00000002.1714851063.0000000001050000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.1723609289.000000000573A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.1723609289.00000000056E7000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 8bZMO28ywp.exe, -Module-.cs

.Net Code: _206E_200B_202C_206D_206E_206D_202C_206E_200F_200F_202B_202E_200C_200E_200F_206D_200D_206C_206D_206B_200C_202B_200E_202C_202D_206C_206B_202B_202E_206C_206E_206C_202C_202C_206F_202A_206C_206E_200E_206D_202E System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_6CE838F4 push ecx; ret	0_2_6CE83907
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_6CE91E9F push es; ret	0_2_6CE91EA6
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_0AEF3555 push ebx; retf	0_2_0AEF3556
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_0AEF3D53 push ebp; ret	0_2_0AEF3D54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0120941F pushfd ; ret	2_2_01209429
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_064917B0 push cs; ret	2_2_06491824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0649F480 push es; ret	2_2_0649F490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0649E3F1 push es; ret	2_2_0649E400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_06508221 push es; iretd	2_2_0650826C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_06508221 push es; ret	2_2_065083DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_06508221 push es; retn 5078h	2_2_06508550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_06508221 push es; retf 5079h	2_2_065085B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_06508221 push es; iretd	2_2_0650866C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_06508622 push es; iretd	2_2_0650866C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0650C2D0 push es; ret	2_2_0650C2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0650DC42 push esp; iretd	2_2_0650DC49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_06500A90 push es; ret	2_2_06500AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0650FB2C push 8BD08B6Ch; retf	2_2_0650FB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0650FBA5 push 8BD08B6Ch; retf	2_2_0650FBAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0650FBAC push es; iretd	2_2_0650FBBD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_06502940 push es; ret	2_2_06502950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_06502900 push es; ret	2_2_06502910

Source: C:\Users\user\Desktop\8bZMO28ywp.exe

File created: C:\Users\user\AppData\Roaming\d3d9.dll

Jump to dropped file

Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 8bZMO28ywp.exe PID: 6840, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Memory allocated: 14B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Memory allocated: 3250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Memory allocated: 1820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Memory allocated: 5860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Memory allocated: 6860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Memory allocated: 6990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Memory allocated: 7990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Memory allocated: 7CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Memory allocated: 8CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Memory allocated: 9CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1270000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 1033			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 3057			Jump to behavior

Source: C:\Users\user\Desktop\8bZMO28ywp.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\d3d9.dll

Jump to dropped file

Source: C:\Users\user\Desktop\8bZMO28ywp.exe TID: 6620	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6336	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4820	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6476	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: 8bZMO28ywp.exe	Binary or memory string: CttJFgANByUSUqqNlTacvGfhgfSLmkzdzLZqzQPIOtgNTPxOYzGB.dll
Source: MSBuild.exe, 00000002.00000002.1723425107.0000000005670000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllre=MSIL"/>
Source: 8bZMO28ywp.exe	Binary or memory string: CttJFgANByUSUqqNlTacvGfhgfS

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\8bZMO28ywp.exe

Code function: 0_2_6CE785CA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CE785CA

Source: C:\Users\user\Desktop\8bZMO28ywp.exe

Code function: 0_2_6CE7E33C GetProcessHeap,

0_2_6CE7E33C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_6CE780F1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6CE780F1
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_6CE785CA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CE785CA
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Code function: 0_2_6CE7C567 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CE7C567

Source: C:\Users\user\Desktop\8bZMO28ywp.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\8bZMO28ywp.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\8bZMO28ywp.exe

Code function: 0_2_6CE68C00 HuaweiShare,GetConsoleWindow,ShowWindow,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,GetThreadContext,SetThreadContext,ResumeThread,CloseHandle,

0_2_6CE68C00

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\8bZMO28ywp.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 41E000	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: AB6008	Jump to behavior

Source: C:\Users\user\Desktop\8bZMO28ywp.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Jump to behavior

Source: C:\Users\user\Desktop\8bZMO28ywp.exe

Code function: 0_2_6CE78788 cpuid

0_2_6CE78788

Source: C:\Users\user\Desktop\8bZMO28ywp.exe	Queries volume information: C:\Users\user\Desktop\8bZMO28ywp.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\8bZMO28ywp.exe

Code function: 0_2_6CE78213 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6CE78213

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 0.2.8bZMO28ywp.exe.6ce8b000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8bZMO28ywp.exe.6ce8b000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8bZMO28ywp.exe.6ce60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1713784547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4124, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\binance\	Jump to behavior

Source: Yara match	File source: 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4124, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 0.2.8bZMO28ywp.exe.6ce8b000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8bZMO28ywp.exe.6ce8b000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8bZMO28ywp.exe.6ce60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1713784547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4124, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	411 Process Injection	1 Masquerading	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	341 Security Software Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Clipboard Data	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	241 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	124 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
8bZMO28ywp.exe	79%	ReversingLabs	ByteCode-MSIL.Spyware.Metastealer
8bZMO28ywp.exe	100%	Avira	HEUR/AGEN.1311038
8bZMO28ywp.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\d3d9.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\d3d9.dll	70%	ReversingLabs	Win32.Trojan.LummaStealer

Source	Detection	Scanner	Label
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	0%	URL Reputation	safe
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/sc	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/trust	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/envelope/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT	0%	URL Reputation	safe
http://tempuri.org/D	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/06/addressingex	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ	0%	URL Reputation	safe
http://www.w3.o	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	0%	URL Reputation	safe
http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2002/12/policy	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/sc/dk	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue	0%	URL Reputation	safe
http://tempuri.org/Contract/MSValue3ResponseD	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT	0%	URL Reputation	safe
http://tempuri.org/Contract/MSValue2Response	0%	Avira URL Cloud	safe
http://tempuri.org/Contract/MSValue3Response	0%	Avira URL Cloud	safe
https://t.me/+J_Z1QGHfHko0MGZi	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD	0%	Avira URL Cloud	safe
https://t.me/	0%	Avira URL Cloud	safe
http://tempuri.org/Contract/MSValue2ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Contract/MSValue3	0%	Avira URL Cloud	safe
http://tempuri.org/Contract/MSValue1	0%	Avira URL Cloud	safe
http://tempuri.org/Contract/MSValue2	0%	Avira URL Cloud	safe
https://t.me/+J_Z1QGHfHko0MGZi*https://steamcommunity.com/id/elcadillac	0%	Avira URL Cloud	safe
http://tempuri.org/Contract/MSValue1ResponseD	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
up.nexgor.top	157.90.30.125	true	false		unknown
t.me	149.154.167.99	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://t.me/+J_Z1QGHfHko0MGZi	true	Avira URL Cloud: safe	unknown
https://t.me/+J_Z1QGHfHko0MGZi*https://steamcommunity.com/id/elcadillac	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Contract/MSValue3ResponseD	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Contract/MSValue2Response	MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/	MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MSBuild.exe, 00000002.00000002.1715957975.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.sb/ip	8bZMO28ywp.exe, 8bZMO28ywp.exe, 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmp, MSBuild.exe, 00000002.00000002.1713784547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/sc	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Contract/MSValue3Response	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Contract/MSValue2ResponseD	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD	MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t.me/	MSBuild.exe, 00000002.00000002.1715957975.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Contract/MSValue1	MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Contract/MSValue2	MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Contract/MSValue3	MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/D	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/06/addressingex	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.w3.o	MSBuild.exe, 00000002.00000002.1715957975.0000000003147000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	MSBuild.exe, 00000002.00000002.1715957975.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2002/12/policy	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/dk	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Contract/MSValue1ResponseD	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT	MSBuild.exe, 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
157.90.30.125	up.nexgor.top	United States		766	REDIRISRedIRISAutonomousSystemES	false
149.154.167.99	t.me	United Kingdom		62041	TELEGRAMRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1483237
Start date and time:	2024-07-26 21:56:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8bZMO28ywp.exe renamed because original name is a hash value
Original Sample Name:	42661ea68d2293c67cb878d88257f7f2.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/3@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 97% Number of executed functions: 339 Number of non-executed functions: 24
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target MSBuild.exe, PID 4124 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: 8bZMO28ywp.exe

Simulations

Behavior and APIs

Time	Type	Description
15:56:56	API Interceptor	25x Sleep call for process: MSBuild.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.99	http://bekaaviator.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot
	jtfCFDmLdX.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	vSlVoTPrmP.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	RO67OsrIWi.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	KeyboardRGB.exe	Get hash	malicious	Unknown	Browse	t.me/cinoshibot
	file.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	1lKbb2hF7fYToopfpmEvlyRN.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.99
	fps-booster.exe	Get hash	malicious	StormKitty	Browse	149.154.167.99
	LisectAVT_2403002A_138.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	LisectAVT_2403002A_425.dll	Get hash	malicious	Unknown	Browse	149.154.167.99
	LisectAVT_2403002A_425.dll	Get hash	malicious	Unknown	Browse	149.154.167.99
	LisectAVT_2403002B_272.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	149.154.167.99
	LisectAVT_2403002B_344.exe	Get hash	malicious	Bdaejec, Vidar	Browse	149.154.167.99
	Bootstrapper.exe	Get hash	malicious	Hancitor, Vidar	Browse	149.154.167.99
	LisectAVT_2403002C_18.exe	Get hash	malicious	Raccoon	Browse	188.114.96.3
	LisectAVT_2403002C_18.exe	Get hash	malicious	Raccoon	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	VJV2AjJ7Na.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	zx.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220
	1lKbb2hF7fYToopfpmEvlyRN.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.99
	new order 00041221.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	7NeoZ6OBn2.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	7NeoZ6OBn2.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	fps-booster.exe	Get hash	malicious	StormKitty	Browse	149.154.167.99
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
REDIRISRedIRISAutonomousSystemES	93g0DCqh1e.elf	Get hash	malicious	Mirai	Browse	150.128.212.86
	https://www.congresosucv.com/maindeal/fxc/bWVsaXNzYS53aGl0ZWh1cnN0QGFmZm9yZGFibGVkZW50dXJlcy5jb20=	Get hash	malicious	HTMLPhisher	Browse	157.90.130.199
	arm7.elf	Get hash	malicious	Mirai	Browse	156.35.111.180
	https://congresosucv.com/maindeal/fxc/YWNjb3VudHNyZWNlaXZhYmxlQGpwcGx1cy5jb20=	Get hash	malicious	HTMLPhisher	Browse	157.90.130.199
	https://ct2js04.na1.hs-sales-engage.com/Ctc/WZ+23284/ct2jS04/Jl28VMXNW7lDv8P6lZ3pcW7ZvSkt6MxtHGW75LPC74_WQVJW97RzS-1GzsgxW3C0l_Q5BnT9bN8H3VR33SQqBW2xj6fW2G1vj7W1vQmnx4tpFQ3N6-0GlBxxYrsW5WBrqV2RzGftW7mZDfC1Dy31mW6vWVKv2V7CXvMgj_bPbsjJNMh557VRDNvWW28TBsF8__fxnW8Fkw7X2wH15rW2bC8lF4CvmFmW3YPzfn9dfdg2W21rDSg7NQTWTW4T1Qr332BlhxW3HrXy58sHJTZW6M_hNS8PR08hW24xNqt5j4lrYW2k34g-6kTtfyW3Xvg9S1G4MqXW1bdn612WRGqrW72hbk31k087YMynlNTXC0LnW17gLh62z8b5GW8Ng_NJ36m19cW7n6g5N7P_6vYW5fGSQc6gyGQfW87CCSh3HxZypN6LTCNhMj-M3N5kt3__49HXbN70w9lLFm9dGW4gBNMJ7TlT7yN98N7GkkML6bW4LLqWT3GhxjwW3ll4061rVnp5W10GR4v38YGF-N3Ygqt3DTHY3W25GD7J8CWGdRMKyr2CZw9NjW5dMl177CpSY-W61k25g3NdSV-W7t_-Hc2mk8vnW92FrHx40VXSgN7y9dkJjjgv6N88pC7SlHt0mW2qLnBF3YlRdNW3BTtG95kmr8qW1JgRPV1Tsgl6N82B0fNbG_HZN4-KZn_L56BTW5g-zV35PP3lfW1zzcXP2HpTtNW2Bxwjv5QqNpwW82x1v93sr-W5W4SFQBj8DtvcpW3G5Yzn5LKYq8W14jVYm6q01PbW3bcSfP8HWtYtW90J1y9303PYLW4zNDLT8FGHmjW6qwRRQ65_CWCW88Kngt4y81MyN1F6glnKx9YSW14_55B5Hs1sfW1x2y_B6D2Cz6VGR3n14wzw5RW3PxV7v2JRb7JVYsm3p3RcTmDf31zBrb04	Get hash	malicious	HTMLPhisher	Browse	157.90.130.199
	bJrO2iUerN.elf	Get hash	malicious	Unknown	Browse	157.90.1.125
	https://www.leaflogistic.co/	Get hash	malicious	HTMLPhisher	Browse	157.90.4.17
	7OFBdUtXsK.elf	Get hash	malicious	Mirai	Browse	150.244.162.159
	BfQ121ipnz.elf	Get hash	malicious	Mirai	Browse	161.72.18.32
	mips.elf	Get hash	malicious	Mirai	Browse	158.49.221.134

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Modrinth_Installer.exe	Get hash	malicious	XWorm	Browse	149.154.167.99
	Modrinth_Installer.exe	Get hash	malicious	XWorm	Browse	149.154.167.99
	VJV2AjJ7Na.exe	Get hash	malicious	XWorm	Browse	149.154.167.99
	zx.ps1	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://b8le2c5j.r.us-east-2.awstrack.me/L0/https:%2F%2Fslivtovara.ru%2Fbitrix%2Fredirect.php%3Fevent1=click_to_call%26event2=%26event3=%26goto=https:%2F%2F7qrw.wanianten.com%2FGhGNAL8%2F%23Pamy@derick.com/1/010f0190ec251e7b-a039cc69-e4b5-46b3-9c67-bbe921a600f9-000000/LLZuw2OBV0eOHt3bnXuAzTOkJoc=169	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	149.154.167.99
	https://alamanaschool-my.sharepoint.com/:o:/g/personal/faridhajahan_kg_amanaschool_com/EjJ3Pc0GI4lCgL5xS_fmQD0Bn9XR0VtN5_yNafsBQyYJsg?e=OHPWmQ	Get hash	malicious	Unknown	Browse	149.154.167.99
	17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe	Get hash	malicious	GuLoader, Remcos	Browse	149.154.167.99
	SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.99
	https://fiffr-12d16.web.app	Get hash	malicious	Unknown	Browse	149.154.167.99
	Swift Copy.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.99

Process:	C:\Users\user\Desktop\8bZMO28ywp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2545
Entropy (8bit):	5.330114603578639
Encrypted:	false
SSDEEP:	48:MxHKlYHKh3okHafHK7HKhBHKntHo6hAHKzeEHK8THQmHKtXoPHZHjHKx1qHxLHqV:iqlYqh3okmq7qLqntI6eqzPqojqo5DqL
MD5:	34EA31FEBEC0DD953C402C7AF0A71693
SHA1:	44D5A8E8257F568B5559B047A51B57FD68D5CF46
SHA-256:	F362F96B45ABD63A0B52900CBC09250A22C3249AD9F7C0726676E797B9EF76B6
SHA-512:	641A81F119704D748F651DC58B51418E1A03AA08568F5FBFA3C731FAAB6C9FF140057E1B95C94124B73756310E092C967D55A5FEF9522FFD55810EBD19E996BD
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Management.ni.dll",0..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7

C:\Users\user\AppData\Roaming\d3d9.dll

Download File

Process:	C:\Users\user\Desktop\8bZMO28ywp.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	292352
Entropy (8bit):	6.829863995979643
Encrypted:	false
SSDEEP:	6144:0bVI51mF0g9G+SFFoYe78PnnXX6uftgzitgqYxT:1XmF0g9Vl8PaufteVn1
MD5:	A159A8F54865B84D038166E0E61ADEF9
SHA1:	61B0275B761D057A6AE52C0117714328EA934C42
SHA-256:	A024A176ADEC30449A16FAC5FF34D5F93B6B0004A7BA92220BAFE74C18FF9A71
SHA-512:	7BACA77BB715DACE626E8ABF6156C6D356045BB8DD962B77428C72F9652262647FF9B36ECFB359F2A6E1995EB09FA057C8E4FF3A376D4AB0CA98328B4CAF99FE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 70%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.)...GQ..GQ..GQL.DP..GQL.BP..GQL.CP..GQL.FP..GQ z<Q..GQ..FQe.GQ.=BP..GQ.=CP..GQ.=DP..GQ..GQ..GQj=GP..GQj=EP..GQRich..GQ........................PE..L.....f...........!...&.,...P..............@............................................@.........................@...x.......<...............................D...`...................................@............@..P............................text...C+.......,.................. ..`.rdata..Vh...@...j...0..............@..@.data...T...........................@....reloc..D............Z..............@..B................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.530766885150198
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	8bZMO28ywp.exe
File size:	571'904 bytes
MD5:	42661ea68d2293c67cb878d88257f7f2
SHA1:	a63f14b94257e93f483fba2dc9c9338a4d487d99
SHA256:	8157fd69bd3a3259d7911729323d4fe91eb4745fdccf2b605787b956ffe8d1c2
SHA512:	1d506d5815f44a27ea65601ef7da36e912f2f00accce63532f5c793808235a187589a6bddaa12d3feddd483f0f7d9a67ebd73d7a0f5c30df34ef9dcb5ddcab9d
SSDEEP:	12288:lgP1HBOB7Nu02X6CVswMK8qDapoEts/bj9XVk2TtF2gip5/V59ihmPWjZ7hHl1H5:lgP1IB00hze
TLSH:	14C41DDC725072DFC85BC972CEA81C68EA5034BB871B920790671AEDDA5D89BCF150F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x48cdde
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x669FC5B8 [Tue Jul 23 15:01:12 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8cd8c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8e000	0x698	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x90000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8ade4	0x8ae00	a6ccd364b5f227e1ebdf0418ce1ab183	False	0.5771545904590459	data	6.536626940871344	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8e000	0x698	0x800	e31ed044bdbfd1ae3637ee77b3bf5876	False	0.361328125	data	3.6447564257182488	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x90000	0xc	0x200	4c2326af17b155e8cb99b027b34ef660	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8e0a0	0x40c	data			0.416023166023166
RT_MANIFEST	0x8e4ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-26T21:56:55.840440+0200	TCP	2001689	ET WORM Potential MySQL bot scanning for SQL server	49731	3306	192.168.2.4	157.90.30.125
2024-07-26T21:56:57.091193+0200	TCP	2049282	ET MALWARE MetaStealer Activity (Response)	3306	49731	157.90.30.125	192.168.2.4
2024-07-26T21:56:56.637010+0200	TCP	2046105	ET MALWARE Redline Stealer/MetaStealer Family TCP CnC Activity - MSValue (Outbound)	49731	3306	192.168.2.4	157.90.30.125
2024-07-26T21:56:56.885526+0200	TCP	2046105	ET MALWARE Redline Stealer/MetaStealer Family TCP CnC Activity - MSValue (Outbound)	49731	3306	192.168.2.4	157.90.30.125

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 21:56:48.806942940 CEST	49675	443	192.168.2.4	173.222.162.32
Jul 26, 2024 21:56:53.943470955 CEST	49730	443	192.168.2.4	149.154.167.99
Jul 26, 2024 21:56:53.943558931 CEST	443	49730	149.154.167.99	192.168.2.4
Jul 26, 2024 21:56:53.943628073 CEST	49730	443	192.168.2.4	149.154.167.99
Jul 26, 2024 21:56:53.997555017 CEST	49730	443	192.168.2.4	149.154.167.99
Jul 26, 2024 21:56:53.997611046 CEST	443	49730	149.154.167.99	192.168.2.4
Jul 26, 2024 21:56:54.855756044 CEST	443	49730	149.154.167.99	192.168.2.4
Jul 26, 2024 21:56:54.855870008 CEST	49730	443	192.168.2.4	149.154.167.99
Jul 26, 2024 21:56:54.873473883 CEST	49730	443	192.168.2.4	149.154.167.99
Jul 26, 2024 21:56:54.873512983 CEST	443	49730	149.154.167.99	192.168.2.4
Jul 26, 2024 21:56:54.873764992 CEST	443	49730	149.154.167.99	192.168.2.4
Jul 26, 2024 21:56:54.916208982 CEST	49730	443	192.168.2.4	149.154.167.99
Jul 26, 2024 21:56:55.052294016 CEST	49730	443	192.168.2.4	149.154.167.99
Jul 26, 2024 21:56:55.096506119 CEST	443	49730	149.154.167.99	192.168.2.4
Jul 26, 2024 21:56:55.245580912 CEST	443	49730	149.154.167.99	192.168.2.4
Jul 26, 2024 21:56:55.245651960 CEST	443	49730	149.154.167.99	192.168.2.4
Jul 26, 2024 21:56:55.245671988 CEST	443	49730	149.154.167.99	192.168.2.4
Jul 26, 2024 21:56:55.245724916 CEST	49730	443	192.168.2.4	149.154.167.99
Jul 26, 2024 21:56:55.245784998 CEST	443	49730	149.154.167.99	192.168.2.4
Jul 26, 2024 21:56:55.245848894 CEST	49730	443	192.168.2.4	149.154.167.99
Jul 26, 2024 21:56:55.245848894 CEST	49730	443	192.168.2.4	149.154.167.99
Jul 26, 2024 21:56:55.245851994 CEST	443	49730	149.154.167.99	192.168.2.4
Jul 26, 2024 21:56:55.245884895 CEST	443	49730	149.154.167.99	192.168.2.4
Jul 26, 2024 21:56:55.245902061 CEST	49730	443	192.168.2.4	149.154.167.99
Jul 26, 2024 21:56:55.245929956 CEST	49730	443	192.168.2.4	149.154.167.99
Jul 26, 2024 21:56:55.252329111 CEST	49730	443	192.168.2.4	149.154.167.99
Jul 26, 2024 21:56:55.840440035 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:55.845766068 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:55.845860958 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:55.853687048 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:55.859155893 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:56.608819962 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:56.637010098 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:56.642590046 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:56.842097044 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:56.884967089 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:56.885525942 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:56.890897989 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:57.091063976 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:57.091121912 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:57.091159105 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:57.091186047 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:57.091192961 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:57.091232061 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:57.091247082 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:57.091273069 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:57.091324091 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:58.416285992 CEST	49675	443	192.168.2.4	173.222.162.32
Jul 26, 2024 21:56:59.069581032 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.075160980 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.075203896 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.075232029 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.075261116 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.075289011 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.075303078 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.075339079 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.075342894 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.075372934 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.075392962 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.075402021 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.075422049 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.075432062 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.075450897 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.075475931 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.075738907 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.075783968 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.076541901 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.080450058 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.080569029 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.080936909 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.080980062 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.081007957 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.081042051 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.081070900 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.081113100 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.081125021 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.081154108 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.081177950 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.081253052 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.081293106 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.082267046 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.082370996 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.086445093 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.086472988 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.086524963 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.086899996 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.086946011 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.086982965 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.087070942 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.087100983 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.087105036 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.087150097 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.087225914 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.087511063 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.087707996 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.087762117 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.087809086 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.087838888 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.087863922 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.087869883 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.087903023 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.087908983 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.087986946 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.088375092 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.088382959 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.088453054 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.088557959 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.088584900 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.088591099 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.088630915 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.088701010 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.089186907 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.089215994 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.089242935 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.089263916 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.089272022 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.089292049 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.089301109 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.089318991 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.089330912 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.089346886 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.089359999 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.089370966 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.089396954 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.089524031 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.091695070 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.092056036 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.092082977 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.092096090 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.092132092 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.092135906 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.092160940 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.092190027 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.092238903 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.092291117 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.092390060 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.092518091 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.092545986 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.092583895 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.092597961 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.092628002 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.092654943 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.092680931 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.092710972 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.092730045 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.092758894 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.092770100 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.092787027 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.092813969 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.092864037 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.092890978 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.092916965 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.092942953 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.092968941 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093014956 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093043089 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093070030 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093117952 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093144894 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093169928 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093195915 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093221903 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093249083 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093297958 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093323946 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093349934 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093377113 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093401909 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093427896 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093475103 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093501091 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093528032 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093553066 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093579054 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093605995 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093632936 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093658924 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093709946 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093736887 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093763113 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093789101 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093839884 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093846083 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.093868017 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093895912 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093924046 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093950987 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.093965054 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.095151901 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.095186949 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.095393896 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.095443010 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.095556021 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.095582962 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.095653057 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.095760107 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.095786095 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.095813036 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.095860958 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.095886946 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.095912933 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.095940113 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.097225904 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.097275972 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.097302914 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.097362041 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.097389936 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.097419977 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.097527027 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.097553968 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.097580910 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.097628117 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.097655058 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.097680092 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100027084 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100054026 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100085020 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100239038 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100269079 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100317001 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100343943 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100392103 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100418091 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100431919 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100444078 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100475073 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100496054 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100507975 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100522041 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100538015 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100550890 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100655079 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100667000 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100677967 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100691080 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100704908 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100795984 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.100831032 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100867033 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100879908 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100917101 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.100944042 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100956917 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100980997 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.100992918 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101016045 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101031065 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101085901 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101098061 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101125002 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101138115 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101150990 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101161957 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101227999 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101239920 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101262093 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101274014 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101284981 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101295948 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101325989 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101337910 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101589918 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101603031 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101691008 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101703882 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101713896 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101726055 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101737022 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101758003 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101771116 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101788044 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101830959 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101841927 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101893902 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101907015 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101917982 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101964951 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.101978064 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.102133036 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.102144957 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.102232933 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.102245092 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.108725071 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.108743906 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.108756065 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.108767033 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.108778954 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.108789921 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.108802080 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.108825922 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.108838081 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.108853102 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.108865023 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109172106 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109190941 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109204054 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109215975 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109245062 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109257936 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109285116 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109297037 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109371901 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109385014 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109524012 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109580040 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109591961 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109787941 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109801054 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109812021 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109823942 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109836102 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109858990 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109870911 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109882116 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109894037 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109905958 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109916925 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109929085 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109940052 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109951973 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109963894 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109975100 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109987020 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.109997988 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.110008955 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.110039949 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.110052109 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.110063076 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.110074043 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.110096931 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.110109091 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.110120058 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.110132933 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.110327005 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.110338926 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.112760067 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.112889051 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.120608091 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.120626926 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.120640039 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.120651960 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.120662928 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.120681047 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.120692968 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.120934963 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.121057987 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121061087 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.121093988 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121123075 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121151924 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121179104 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121206999 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121233940 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121259928 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121287107 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121311903 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121337891 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121365070 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121392012 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121417999 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121444941 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121470928 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121496916 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121524096 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121577024 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121603966 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121630907 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121658087 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121684074 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121710062 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121735096 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121761084 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121787071 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121813059 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121839046 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121867895 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121893883 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121920109 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121968031 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.121994019 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.122020006 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.122045994 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.122071981 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.122097969 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.122123957 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.122149944 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.122175932 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.122203112 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.122227907 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.122253895 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.122279882 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.122306108 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.158888102 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.159161091 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.159281969 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.160288095 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.160322905 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.160379887 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.160408020 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.160434008 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.160459995 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.160517931 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.160546064 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.160573006 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.160599947 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.160651922 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.160677910 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.160705090 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.160732031 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.160758018 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.160784006 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.160809994 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.160835028 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.160868883 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.160897970 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.160923958 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.160949945 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161003113 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161035061 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161062002 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161088943 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161114931 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161140919 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161166906 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161192894 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161218882 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161245108 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161269903 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161295891 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161322117 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161348104 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161372900 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161397934 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161425114 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161449909 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161475897 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161521912 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161546946 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161571980 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161597967 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161623001 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161648035 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161674023 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161699057 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161725044 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161751032 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.161776066 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165226936 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165257931 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165282965 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165328979 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165354013 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165379047 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165405035 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165431023 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165477037 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165494919 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.165503025 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165529013 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165576935 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165604115 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165611029 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.165652037 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165678024 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165704012 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165751934 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165776968 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165803909 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165849924 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165877104 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165903091 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165927887 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165954113 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.165978909 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.166024923 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.166050911 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.166075945 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.166101933 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.166127920 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.166153908 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.166199923 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.166225910 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.166251898 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.166276932 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.170289040 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.170552015 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.170702934 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.171344995 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.171381950 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.171435118 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.171462059 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.171562910 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.171590090 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.171680927 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.171708107 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.171734095 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.171760082 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.171786070 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.171812057 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.171864986 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.171891928 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.171919107 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.171945095 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.171969891 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.171996117 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.172022104 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.172048092 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.172074080 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.172100067 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.172127008 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.172152042 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.172199965 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.172226906 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.172252893 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.172280073 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.172306061 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.172332048 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.172358036 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.172383070 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.172410011 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.172435999 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.172461987 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.172521114 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.172548056 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.172579050 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.172605038 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.172631979 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.172657013 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.211498976 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.211745024 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.211879969 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.211879969 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.211921930 CEST	49731	3306	192.168.2.4	157.90.30.125
Jul 26, 2024 21:56:59.217418909 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.217438936 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.217451096 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.217463017 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.217474937 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.217488050 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.217499018 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.217510939 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.217853069 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.217871904 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.217885017 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.217895985 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.217906952 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.217917919 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.217928886 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.217941046 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.217952967 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.217964888 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.217976093 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.217987061 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.217998981 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.218010902 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.218022108 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.218034029 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.218058109 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.218070030 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.218308926 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.218333006 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.218560934 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.218573093 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.218671083 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.218683958 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.218696117 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.218708038 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.218893051 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.218914032 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.218926907 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.218931913 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.218947887 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.218971014 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219034910 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219048023 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219070911 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219083071 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219104052 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219116926 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219172955 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219185114 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219223976 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219286919 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219327927 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219422102 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219434023 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219450951 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219536066 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219547987 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219571114 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219583035 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219595909 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219608068 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219702005 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219713926 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219724894 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219738007 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219749928 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:56:59.219762087 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:57:00.131381989 CEST	3306	49731	157.90.30.125	192.168.2.4
Jul 26, 2024 21:57:00.140782118 CEST	49731	3306	192.168.2.4	157.90.30.125

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 21:56:53.927194118 CEST	49918	53	192.168.2.4	1.1.1.1
Jul 26, 2024 21:56:53.934556961 CEST	53	49918	1.1.1.1	192.168.2.4
Jul 26, 2024 21:56:55.725243092 CEST	52113	53	192.168.2.4	1.1.1.1
Jul 26, 2024 21:56:55.838285923 CEST	53	52113	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 26, 2024 21:56:53.927194118 CEST	192.168.2.4	1.1.1.1	0xa488	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Jul 26, 2024 21:56:55.725243092 CEST	192.168.2.4	1.1.1.1	0x7545	Standard query (0)	up.nexgor.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 26, 2024 21:56:53.934556961 CEST	1.1.1.1	192.168.2.4	0xa488	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false
Jul 26, 2024 21:56:55.838285923 CEST	1.1.1.1	192.168.2.4	0x7545	No error (0)	up.nexgor.top		157.90.30.125	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	149.154.167.99	443	4124	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-26 19:56:55 UTC	71	OUT	GET /+J_Z1QGHfHko0MGZi HTTP/1.1 Host: t.me Connection: Keep-Alive
2024-07-26 19:56:55 UTC	511	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 26 Jul 2024 19:56:55 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12287 Connection: close Set-Cookie: stel_ssid=9eaa1b153a5f1ee811_6119055074611904441; expires=Sat, 27 Jul 2024 19:56:55 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2024-07-26 19:56:55 UTC	12287	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 4a 6f 69 6e 20 47 72 6f 75 70 20 43 68 61 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Join Group Chat</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.parent

Target ID:	0
Start time:	15:56:52
Start date:	26/07/2024
Path:	C:\Users\user\Desktop\8bZMO28ywp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8bZMO28ywp.exe"
Imagebase:	0xdc0000
File size:	571'904 bytes
MD5 hash:	42661EA68D2293C67CB878D88257F7F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:56:52
Start date:	26/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:56:52
Start date:	26/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x8b0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1713784547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1715957975.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	23.8%
Dynamic/Decrypted Code Coverage:	1.8%
Signature Coverage:	12.8%
Total number of Nodes:	623
Total number of Limit Nodes:	12

Executed Functions

Function 6CE68C00 Relevance: 136.5, APIs: 23, Strings: 47, Instructions: 14013threadmemoryinjectionCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 6CE70A36
ShowWindow.USER32 ref: 6CE70A4C
CreateProcessW.KERNELBASE ref: 6CE74D92
VirtualAlloc.KERNELBASE ref: 6CE74E68
Wow64GetThreadContext.KERNEL32 ref: 6CE74EA1
VirtualAllocEx.KERNELBASE ref: 6CE75093
VirtualAllocEx.KERNEL32 ref: 6CE751F4
WriteProcessMemory.KERNELBASE ref: 6CE75252
WriteProcessMemory.KERNELBASE ref: 6CE754D5
ReadProcessMemory.KERNEL32 ref: 6CE75E45
WriteProcessMemory.KERNELBASE ref: 6CE76323
Wow64SetThreadContext.KERNEL32 ref: 6CE763DC
ResumeThread.KERNELBASE ref: 6CE763F1
CloseHandle.KERNEL32 ref: 6CE764DC
CloseHandle.KERNEL32 ref: 6CE7657B
GetConsoleWindow.KERNEL32 ref: 6CE76C0E
ShowWindow.USER32 ref: 6CE76C24
VirtualAlloc.KERNEL32 ref: 6CE77390
GetThreadContext.KERNEL32 ref: 6CE773C9
SetThreadContext.KERNEL32 ref: 6CE7754B
ResumeThread.KERNEL32 ref: 6CE77560
CloseHandle.KERNEL32 ref: 6CE77584

Strings

&+=, xrefs: 6CE75939
&W/K, xrefs: 6CE6DFBD
[E?, xrefs: 6CE71F21
Z^x-, xrefs: 6CE6FCD9
]c], xrefs: 6CE718EA
pn, xrefs: 6CE7255B
?DL-, xrefs: 6CE73088
`R|z, xrefs: 6CE6DE8E
4*v', xrefs: 6CE73759
`R|z, xrefs: 6CE6DE10
m!C0, xrefs: 6CE71EAC
'3j-, xrefs: 6CE6ECFB
xR?z, xrefs: 6CE6DDA5
?DL-, xrefs: 6CE730D1
tpO', xrefs: 6CE75B27
NN%L, xrefs: 6CE731E0
D, xrefs: 6CE77338
m^3, xrefs: 6CE6E775
m}F%, xrefs: 6CE7087D
RO~~, xrefs: 6CE6D26B
47, xrefs: 6CE6FFC3
D;T$, xrefs: 6CE72027
kernel32.dll, xrefs: 6CE70A52, 6CE76C2A
4*v', xrefs: 6CE736D9
1i-, xrefs: 6CE7403F
NN%L, xrefs: 6CE73185
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe, xrefs: 6CE74C51
7U*, xrefs: 6CE71B14
#gG, xrefs: 6CE6DA3F
ntdll.dll, xrefs: 6CE70A66, 6CE76C3E
1i-, xrefs: 6CE740D9
4f'Y, xrefs: 6CE7109F
tpO', xrefs: 6CE75AD6
@, xrefs: 6CE751EC
n?[, xrefs: 6CE7327E
,~t", xrefs: 6CE71DE4
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 6CE74C20
G;&, xrefs: 6CE6CEEA
&+=, xrefs: 6CE759BA
,~t", xrefs: 6CE71D76
n?[, xrefs: 6CE732C7
RO~~, xrefs: 6CE6D2CC
OWp, xrefs: 6CE73A04
w7zG, xrefs: 6CE6EEAA
x9f, xrefs: 6CE76243
# U, xrefs: 6CE68C20
Z\+, xrefs: 6CE7427A

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: Thread$Process$AllocContextMemoryVirtualWindow$CloseHandleWrite$ConsoleResumeShowWow64$CreateRead
String ID: # U$&W/K$'3j-$,~t"$,~t"$4*v'$4*v'$4f'Y$7U*$?DL-$?DL-$@$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$D;T$$G;&$NN%L$NN%L$OWp$RO~~$RO~~$Z^x-$[E?$]c]$`R|z$`R|z$kernel32.dll$m!C0$m}F%$ntdll.dll$tpO'$tpO'$w7zG$x9f$xR?z$#gG$&+=$&+=$1i-$1i-$47$Z\+$m^3$n?[$n?[$pn
API String ID: 3533007122-1852549398
Opcode ID: 6c0c7978d1231d2c4ebfe22096f603537efd4822a36bc89a36f9654dcdff88cc
Instruction ID: c1a45e5784ffe6e9d2f0233e3f53f12593d31bff382155b81ffe82f9c35dcea9
Opcode Fuzzy Hash: 6c0c7978d1231d2c4ebfe22096f603537efd4822a36bc89a36f9654dcdff88cc
Instruction Fuzzy Hash: CA442231AA12218FCB25CE6DD9D03D977F1EB87314F215296E8149BB94D3399E8ACF10

Function 6CE61210 Relevance: 75.1, APIs: 23, Strings: 16, Instructions: 6846filememoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 6CE670D9
GetModuleHandleA.KERNEL32 ref: 6CE67117
K32GetModuleInformation.KERNEL32 ref: 6CE67247
GetModuleFileNameA.KERNEL32 ref: 6CE67335
CreateFileA.KERNELBASE ref: 6CE67379
CreateFileMappingA.KERNEL32 ref: 6CE6746F
CloseHandle.KERNEL32 ref: 6CE675DF
MapViewOfFile.KERNELBASE ref: 6CE6777C
VirtualProtect.KERNELBASE ref: 6CE67A53
VirtualProtect.KERNELBASE ref: 6CE67B1C
FindCloseChangeNotification.KERNELBASE ref: 6CE67DAB
CloseHandle.KERNEL32 ref: 6CE67DBF
CloseHandle.KERNEL32 ref: 6CE67DD1
GetCurrentProcess.KERNEL32 ref: 6CE6846E
GetModuleHandleA.KERNEL32 ref: 6CE684AC
GetModuleFileNameA.KERNEL32 ref: 6CE6852F
CreateFileA.KERNEL32 ref: 6CE68573
CloseHandle.KERNEL32 ref: 6CE685A9
MapViewOfFile.KERNEL32 ref: 6CE685FD
CloseHandle.KERNEL32 ref: 6CE6869B
CloseHandle.KERNEL32 ref: 6CE686AF
CloseHandle.KERNEL32 ref: 6CE686C1

Strings

M|\, xrefs: 6CE666E2
^c_, xrefs: 6CE675B8
$), xrefs: 6CE64AF0
@, xrefs: 6CE67A47
=Uc, xrefs: 6CE67D89
>shS, xrefs: 6CE635D9
M|\, xrefs: 6CE66733
&3D, xrefs: 6CE67209
^c_, xrefs: 6CE67613
sS\<, xrefs: 6CE63AF6
9/u5, xrefs: 6CE67183
GEp>, xrefs: 6CE65E1A
cx[, xrefs: 6CE67618
WnS, xrefs: 6CE63B7C
pf, xrefs: 6CE63D5C
=Uc, xrefs: 6CE686C7

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: Handle$Close$File$Module$Create$CurrentNameProcessProtectViewVirtual$ChangeFindInformationMappingNotification
String ID: pf$$)$9/u5$=Uc$=Uc$>shS$@$GEp>$M|\$M|\$WnS$^c_$^c_$sS\<$&3D$cx[
API String ID: 3731317439-3032977324
Opcode ID: ff87fb50b756430d1aac314a39660cb9f21fe4a15d3b65cac166c697b0fcfa4c
Instruction ID: e33405c0f3c723778d0c135660a2e69e328e3076550f31b9cdf23dbb55a8ad59
Opcode Fuzzy Hash: ff87fb50b756430d1aac314a39660cb9f21fe4a15d3b65cac166c697b0fcfa4c
Instruction Fuzzy Hash: B3C35A32AA62158FCB14CE3EC9A53DDB7F1AB47314F205286D91CDBF94C635898A8F41

Function 6CE686E0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 292
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 6CE6882A
GetProcAddress.KERNEL32 ref: 6CE68842

Strings

ntdll.dll, xrefs: 6CE68821
NtQueryInformationProcess, xrefs: 6CE68835

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: NtQueryInformationProcess$ntdll.dll
API String ID: 1646373207-2906145389
Opcode ID: c44a6c88b6c95b7473be82fe79e6d9efeb1a041403382bd8cb482a52321563b0
Instruction ID: b49e11ec40348c71dc94989402ac7abed3fb157b17b4f5224d83934b2164d69c
Opcode Fuzzy Hash: c44a6c88b6c95b7473be82fe79e6d9efeb1a041403382bd8cb482a52321563b0
Instruction Fuzzy Hash: B0B1CDB5AA52048FCB24CFBCC5A53DEBBF1AF47354F20911AD415EBB50C73599068B42

Function 014B0E46 Relevance: 2.7, Strings: 2, Instructions: 246
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 014B102D
Te^q, xrefs: 014B1187

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 34b56ed95f8246b01d0ff4ee92e20d0fc9f2737dae1fd9b08db8234248e33a5c
Instruction ID: bb5683ea9266873a854178bce0344eed9d81f0f8e9ae45d760ae38ef8b4b665b
Opcode Fuzzy Hash: 34b56ed95f8246b01d0ff4ee92e20d0fc9f2737dae1fd9b08db8234248e33a5c
Instruction Fuzzy Hash: 4DA1C070A00255CFCB48CF68C9D49AABBF2FF45711B1581ABE809AF266C735DD06CB61

Function 014B0D74 Relevance: 2.7, Strings: 2, Instructions: 242
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 014B102D
Te^q, xrefs: 014B1187

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: b5c22a08bf0bc93862cdced0d1b17f50cda2ece5f3c9d897bc519d0cd3856c3c
Instruction ID: fddb580ca198ecc32c81396a89b83b69735ce55ae474c7c4447ba3ad0a06e09c
Opcode Fuzzy Hash: b5c22a08bf0bc93862cdced0d1b17f50cda2ece5f3c9d897bc519d0cd3856c3c
Instruction Fuzzy Hash: 4691CF30A04355CFCB44CF68D5D09AABBF2FF45711B1582ABE809AF266C7399D06CB61

Function 014B0ADD Relevance: 2.7, Strings: 2, Instructions: 240
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 014B102D
Te^q, xrefs: 014B1187

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 53c24e475b8bdd4a2b039b9db5d965d2cc66bdc133f2e7219172f5f7d4fceec3
Instruction ID: 1f35b9c56d950d1cef65103996724b942eef5141c8330927541a799765cc7342
Opcode Fuzzy Hash: 53c24e475b8bdd4a2b039b9db5d965d2cc66bdc133f2e7219172f5f7d4fceec3
Instruction Fuzzy Hash: 0D91B030A04355CFCB44CF68D4D49AABBF2FF85711B1581ABE805AF266C7399D06CB61

Function 014B0ACD Relevance: 2.7, Strings: 2, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 014B102D
Te^q, xrefs: 014B1187

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: d2e7b33a23c3d8fd3e6c7dab0ffbfb544229b8e8bc78b77fad67ba58a6693ae2
Instruction ID: 14025071f858c2d87a86310d00af0b659241d695ef8bbcb113d13ac6381abb72
Opcode Fuzzy Hash: d2e7b33a23c3d8fd3e6c7dab0ffbfb544229b8e8bc78b77fad67ba58a6693ae2
Instruction Fuzzy Hash: 7991C330A043558FCB49CF68D4D49EABBF2FF85710B1581ABE805AF266C7399D06CB61

Function 014B08DF Relevance: 2.7, Strings: 2, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 014B102D
Te^q, xrefs: 014B1187

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 7de3b324cc88b26b730951677b9bd724970354f44668f35206d6018c24e8a88c
Instruction ID: 53acee82812453183b0da0788668e3832da67240f00494c3eaa87a770c8017f5
Opcode Fuzzy Hash: 7de3b324cc88b26b730951677b9bd724970354f44668f35206d6018c24e8a88c
Instruction Fuzzy Hash: D691F470A043958FCB49CF68C4D05EEBBF2FF85710B1581ABD845AF266C6399D06CB61

Function 014B0969 Relevance: 2.7, Strings: 2, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 014B102D
Te^q, xrefs: 014B1187

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 51c2be628a64fdcffd71c3bf17e0014f3c8b808a71ff0f5a14c0c8a2ac82e15d
Instruction ID: 48840970fe0735f949c99e06a2d80afba7d04d8636cbd5b38086334abfcc2947
Opcode Fuzzy Hash: 51c2be628a64fdcffd71c3bf17e0014f3c8b808a71ff0f5a14c0c8a2ac82e15d
Instruction Fuzzy Hash: F791C130A043558FCB45CF68D4D09EABBF2FF85710B1581ABE805AF666C7399D06CB61

Function 014B0AB4 Relevance: 2.7, Strings: 2, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 014B102D
Te^q, xrefs: 014B1187

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 1447933c0a2fd38cbc670d569e2ceab6189272909039b86294969ffed1ac4853
Instruction ID: 0230fabfdd639cbde9f55ed4863b74d81b053937122f11a84b3003d1ab3d5b5d
Opcode Fuzzy Hash: 1447933c0a2fd38cbc670d569e2ceab6189272909039b86294969ffed1ac4853
Instruction Fuzzy Hash: 4381E630A043558FCB49CF68D4D09EABBF2FF85710B1585ABE805AF266C7399D06CB61

Function 014B0D17 Relevance: 2.7, Strings: 2, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 014B102D
Te^q, xrefs: 014B1187

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: daf5ee5a4e00ff7f7c7ff369ea1635770ed131e507f609fb40b7a223f9d85fa2
Instruction ID: 3d37e5d4a0fc85f7444c3135c898ae7fa8ee44ed5e4718dd2d52887859d6176f
Opcode Fuzzy Hash: daf5ee5a4e00ff7f7c7ff369ea1635770ed131e507f609fb40b7a223f9d85fa2
Instruction Fuzzy Hash: 7191B130A043558FCB45CF68D8D09EABBF2FF85711B1581ABE805AF266C7399D06CB61

Function 014B0C04 Relevance: 2.7, Strings: 2, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 014B102D
Te^q, xrefs: 014B1187

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 6ef57741e1e46e70a0ff94cda4b6ed2cdc0548cc8725d90f4185efa4d3408666
Instruction ID: 1e82e51f4082880f199c6902a70c044a98ee025a9e03541e54f5b0700495a7dc
Opcode Fuzzy Hash: 6ef57741e1e46e70a0ff94cda4b6ed2cdc0548cc8725d90f4185efa4d3408666
Instruction Fuzzy Hash: 9581D330A043598FCB49CF68D5D05EEBBB2FF85710B25829BD805AF266C7399D06CB61

Function 014B09C6 Relevance: 2.7, Strings: 2, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 014B102D
Te^q, xrefs: 014B1187

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 84eed9ad55e8d5c0431357b4df431743ab12ad306ff4ed357ba36431571f1358
Instruction ID: a02b6f55a844e3efab539c71eee72d0cc57d6c50991e5320fdaa326e8e718bd1
Opcode Fuzzy Hash: 84eed9ad55e8d5c0431357b4df431743ab12ad306ff4ed357ba36431571f1358
Instruction Fuzzy Hash: 5D81D330A043998FCB49CF68D5D05EEBBF2FF85710B15819BD805AF266C6399D06CB61

Function 014B0B9D Relevance: 2.7, Strings: 2, Instructions: 220COMMON

Download Yara Rule

Strings

Te^q, xrefs: 014B102D
Te^q, xrefs: 014B1187

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 0461b12610c6b09def035de2242f4c2942e4d52b995fd92e753d95c251adcd10
Instruction ID: 36434f148ae8c3d535e4aab7d9fca74f004d8b0880b8a83d18820062ce1436d1
Opcode Fuzzy Hash: 0461b12610c6b09def035de2242f4c2942e4d52b995fd92e753d95c251adcd10
Instruction Fuzzy Hash: 5E81E430A043558FCB49CF68D4D05EABBF2FF85710B1581ABE805AF266C7399D06CB61

Function 014B0C69 Relevance: 2.7, Strings: 2, Instructions: 220COMMON

Download Yara Rule

Strings

Te^q, xrefs: 014B102D
Te^q, xrefs: 014B1187

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: d436b33e45e11afe7bb18bb02b563a49badcc9b03b5d2bbf2d15e64ece40e553
Instruction ID: 52daa99874f6352ca0c40c381a88c6b09221bfca38807d394c816b9b5f7967cc
Opcode Fuzzy Hash: d436b33e45e11afe7bb18bb02b563a49badcc9b03b5d2bbf2d15e64ece40e553
Instruction Fuzzy Hash: 2481E531A043558FCB49CF68D8D05EABBF2FF85710B1581ABE805AF266C7399D06CB61

Function 014B0CA0 Relevance: 2.7, Strings: 2, Instructions: 220COMMON

Download Yara Rule

Strings

Te^q, xrefs: 014B102D
Te^q, xrefs: 014B1187

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 27d909cbb3d01c55589da901ac047951ad11fe2471d6f45715535f8d0fea8727
Instruction ID: fc3972b5f2b75e6be2d7871971631dcc533d651d08e87171fd0f17b2ef73b0e8
Opcode Fuzzy Hash: 27d909cbb3d01c55589da901ac047951ad11fe2471d6f45715535f8d0fea8727
Instruction Fuzzy Hash: AE81C370A043558FCB49CF68D4D05EABBF2FF85710B1581ABE805AF266C7399D06CB61

Function 014B0BD4 Relevance: 2.7, Strings: 2, Instructions: 219COMMON

Download Yara Rule

Strings

Te^q, xrefs: 014B102D
Te^q, xrefs: 014B1187

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: ba310c6ab5034bdea81d89d28434b36d3116539a44f7e308fd2d6929876433f3
Instruction ID: 10b3cc018711b00a5f8f072e277bd6da9f2e2f72264174dd9cd8236f61080fa2
Opcode Fuzzy Hash: ba310c6ab5034bdea81d89d28434b36d3116539a44f7e308fd2d6929876433f3
Instruction Fuzzy Hash: 5F81F570A043558FCB49CF68D4D05EABBF2FF85710B1581ABE805AF266C7399D06CB61

Function 014B0CF7 Relevance: 2.7, Strings: 2, Instructions: 215COMMON

Download Yara Rule

Strings

Te^q, xrefs: 014B102D
Te^q, xrefs: 014B1187

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 495256c5490fb7d1466d3f35449185f51e58817eb9a34d2384f663e279c9e2a1
Instruction ID: c9ea1dad062d61d2f7f4c30ca41a132a35a256677853b0287df8be22b6d73d1a
Opcode Fuzzy Hash: 495256c5490fb7d1466d3f35449185f51e58817eb9a34d2384f663e279c9e2a1
Instruction Fuzzy Hash: F181F630A043558FCB49CF68D4D05EABBF2FF85710B1581ABE805AF266C7399D06CB61

Function 014B0F1C Relevance: 2.7, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

Te^q, xrefs: 014B102D
Te^q, xrefs: 014B1187

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: f44c37540daf90261f940743ccc4f2641afa498d4b416433e978441d784382f2
Instruction ID: 0aea5d6e7bb8954403b725d9e7e6c57aa47dd598e2b662dac81c9d35d37c838f
Opcode Fuzzy Hash: f44c37540daf90261f940743ccc4f2641afa498d4b416433e978441d784382f2
Instruction Fuzzy Hash: 58610570B042558FCB44CF78D8906EEBBB2FF85710B24816BD845AF266C6398D06CBA0

Function 014B1010 Relevance: 2.6, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

Te^q, xrefs: 014B102D
Te^q, xrefs: 014B1187

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 5d97da3a7dd2dfe8e8ca8438112dc204ea34ff2fd861d2d7cf28eaefad794b4a
Instruction ID: e5d222fffa6ea5b60ca4d56198a98cdb7eb755c44bd30d9852f9784166a2ce70
Opcode Fuzzy Hash: 5d97da3a7dd2dfe8e8ca8438112dc204ea34ff2fd861d2d7cf28eaefad794b4a
Instruction Fuzzy Hash: 9541D571B001558FDB08CFA9D9946BEBAF6FB88700F10442BE506EF7A5CA759D01CB91

Function 0AF035E0 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

$ZS, xrefs: 0AF03733

Memory Dump Source

Source File: 00000000.00000002.1651054429.000000000AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aef0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID: $ZS
API String ID: 0-4074208126
Opcode ID: 3cd477d115084da0594e9fa829ae4f5dba269c3a76c38b5ea6b83d6c3b51fe2b
Instruction ID: ee5ee9bfc2cc8ccc2c9f413200b3538f4036deaf209a62921030d6351b393934
Opcode Fuzzy Hash: 3cd477d115084da0594e9fa829ae4f5dba269c3a76c38b5ea6b83d6c3b51fe2b
Instruction Fuzzy Hash: B2415D33B043139F87289E798A5583B7BA6EBD4510751863AC40ADF3E4CF30DD029792

Function 014B2420 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e3e56309b1a81aa73fc77f8ba56cc3bc80d1e356a8faa497eac978d9395063b
Instruction ID: cb1927c4f09a9139d1545ccb27db18c4a23d2916e8f1747a315119c1fb6d8a71
Opcode Fuzzy Hash: 8e3e56309b1a81aa73fc77f8ba56cc3bc80d1e356a8faa497eac978d9395063b
Instruction Fuzzy Hash: 70A1E071614601CFC754CF28C5C0CAABBB1FB9432475646A7D81A9F671CBB8FC428BA6

Function 014B2330 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d30dcf9fc45af18236734f7021d7c8f2970d9eba407e63ebc7e13f005771f9e
Instruction ID: ff139be2b9614f86456c5af9dbf726cfc5b16e533d65f70f3037f4521aea1b5e
Opcode Fuzzy Hash: 0d30dcf9fc45af18236734f7021d7c8f2970d9eba407e63ebc7e13f005771f9e
Instruction Fuzzy Hash: 1CA10231518201CBCB55CF28C5C08E9BBB1FB9532474646ABCC498F276C778F9468B66

Function 014B22F4 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cfbed1c1df97402a0b1bd609c64f6238a47b65eb5d02567e17011ea68681d6d
Instruction ID: 5fab1eb4f8fecb323795703b6df08db35b04387eacc7f6c881619ce712fb9144
Opcode Fuzzy Hash: 2cfbed1c1df97402a0b1bd609c64f6238a47b65eb5d02567e17011ea68681d6d
Instruction Fuzzy Hash: E7A12331518200CFCB55CF28C5C0CAABBB2FB9532475646ABC8498F276C778F946CB66

Function 014B3A98 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a94cfc542bf8f7dc76dea112d861907c7eaaa72aed9eaef8b53c56656d27237
Instruction ID: 0e16e23021bf733aabf9b110662ecacba08bcbf35b8173feef3c9816bb036ea5
Opcode Fuzzy Hash: 0a94cfc542bf8f7dc76dea112d861907c7eaaa72aed9eaef8b53c56656d27237
Instruction Fuzzy Hash: 3171D274D11218CFC744CF99D6C4C9EBBB1FF48214F19C696E426AB262C331E946CB61

Function 6CE77EE8 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CE77F2F
___scrt_uninitialize_crt.LIBCMT ref: 6CE77F49

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 1efadeb0b877c64c445a8d0ebe96980718407fa65bc9c27ba568c66b54f56e09
Instruction ID: 96add53b21c69533ae998d20abe65f3b5d39de2ab1892a526fa099c5f72a9b6c
Opcode Fuzzy Hash: 1efadeb0b877c64c445a8d0ebe96980718407fa65bc9c27ba568c66b54f56e09
Instruction Fuzzy Hash: 5541E072E05215AFEB328F69C804BAE3AB4EB917A8F31411AE814A6B50D7744D45CBB0

Function 6CE77F98 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6CE77FD5
dllmain_crt_dispatch.LIBCMT ref: 6CE77FEC
dllmain_raw.LIBCMT ref: 6CE78034
dllmain_crt_dispatch.LIBCMT ref: 6CE78047
dllmain_raw.LIBCMT ref: 6CE7805A

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: fd4f84fb229d29807d5321ef8e57ea9ec5c93dbfc41006bfb91686e026791ae7
Instruction ID: d8ae255407a284186602499c9e530fedab0798a8f141e6ba092ab7ea495eeaa0
Opcode Fuzzy Hash: fd4f84fb229d29807d5321ef8e57ea9ec5c93dbfc41006bfb91686e026791ae7
Instruction Fuzzy Hash: D7219C72D01219ABEB328E15CC44AAF3A79EB91B9CB35412AF81467B50D7318D51CBF0

Function 6CE77DE1 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CE77E2E

Part of subcall function 6CE782AB: InitializeSListHead.KERNEL32(6CEA7220,6CE77E38,6CE89A90,00000010,6CE77DC9,?,?,?,6CE77FF1,?,00000001,?,?,00000001,?,6CE89AD8), ref: 6CE782B0

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CE77E98

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: ea04cc674c4220e3a1e1d0350e3a8e27aa1ca7cb72f6567c9a002e8e812ae596
Instruction ID: 1c93fea68f4436dce562d0a20e6b760a5178e934f7982d0295e3bb300cf44792
Opcode Fuzzy Hash: ea04cc674c4220e3a1e1d0350e3a8e27aa1ca7cb72f6567c9a002e8e812ae596
Instruction Fuzzy Hash: 9721DE32646241AADB32ABB894107DD3B71DF2236DF30040FD8916AFC1DB614848D6B1

Function 6CE7E40D Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6CE7E459
GetFileType.KERNELBASE(00000000), ref: 6CE7E46B

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: a28454464b14365bbc9b1c5800049e290cb0896bb90787c0741db86c88d5ebca
Instruction ID: 2c8cc85c20522eb7613daf0938b9ad886cb983e9cca1e3d80491ff8424507b28
Opcode Fuzzy Hash: a28454464b14365bbc9b1c5800049e290cb0896bb90787c0741db86c88d5ebca
Instruction Fuzzy Hash: 1E118771204FE14EC7308E3E8C846917AB5A75723CB34071AD1B597BF1E334D566D2A1

Function 0AF05840 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000), ref: 0AF058B0

Memory Dump Source

Source File: 00000000.00000002.1651054429.000000000AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aef0000_8bZMO28ywp.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6107b47b2b61c1d7ee366696c57a41b5cd71036656e211bf25a1f479a4651af9
Instruction ID: 83013d15dd50bcd931883373fadeadd2bfcabc96b62922cdc6a083c1c262f919
Opcode Fuzzy Hash: 6107b47b2b61c1d7ee366696c57a41b5cd71036656e211bf25a1f479a4651af9
Instruction Fuzzy Hash: F61123B5D00619DBCB10CF9AD544B9EFBF4FB48320F10812AD819A7350D774A940CFA5

Function 0AF05BD0 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 0AF05C2F

Memory Dump Source

Source File: 00000000.00000002.1651054429.000000000AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aef0000_8bZMO28ywp.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 9cbd63196fc68e00385b45ee0fe5e141711ac6635228e2527e5f6917ebc9e164
Instruction ID: e5be54134d7b378ba305c8ee43cbba9f9b9fc4cd0eb81ebab2c4a823dc1d57b8
Opcode Fuzzy Hash: 9cbd63196fc68e00385b45ee0fe5e141711ac6635228e2527e5f6917ebc9e164
Instruction Fuzzy Hash: BB1133B1800349CFCB20DFAAC544BEEBBF4EF48324F25842AD558A7250D778A944CFA5

Function 014B1AD8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76e98ce95a4ab4973c532e66734d42e4d96a5b71a4dd33c9ee676a961afe560
Instruction ID: 254e5931111e6db6106f72be1c242c27f944a8c4efb91e00561e664f7c6d4dab
Opcode Fuzzy Hash: b76e98ce95a4ab4973c532e66734d42e4d96a5b71a4dd33c9ee676a961afe560
Instruction Fuzzy Hash: 39110431A102088FCB25CF34D8946AEBBB6FFC9314F15446BC0029B264DB71AD12CB61

Function 014B2809 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d287965f479b12954c957bd95453f27435b278ab799957462a077babcb7a9eb1
Instruction ID: 05ecffa0afc856131b2fa341f0f52820d86e6478505927b5a45cce148edd39e1
Opcode Fuzzy Hash: d287965f479b12954c957bd95453f27435b278ab799957462a077babcb7a9eb1
Instruction Fuzzy Hash: 83016D317051518FC3094A3A9C948A7BFB6AFD6251729C677E005DB235CB71ED1287A0

Function 014B28B8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269d369e17adab09aa70fb894cf9310e34c09e63ec7c5703ad1c3bf76bba09a4
Instruction ID: 9e7cabbe0ebe0d134ea54a35630891ca3057ddd956694ced90136008612ec471
Opcode Fuzzy Hash: 269d369e17adab09aa70fb894cf9310e34c09e63ec7c5703ad1c3bf76bba09a4
Instruction Fuzzy Hash: BF018F767006419FC318CF3AD9C4966BBE6BFC9260714C5AAD509CB679CA31E8218B60

Function 014B2F80 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee36417a5af077b9e43cfa23d8104aec64a371ed318f0cf7c55dbac89f1f288
Instruction ID: 9f5bb7731d12c21143b09c5d57e5bfbc75c25748e9d468c38e9b60786f22a295
Opcode Fuzzy Hash: eee36417a5af077b9e43cfa23d8104aec64a371ed318f0cf7c55dbac89f1f288
Instruction Fuzzy Hash: 0001F7336086A46FC305DA1DEC144D9BFA5ABCA22030DC6A7E569CB646C734EC1287E4

Function 014B16FB Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d6fc25387bfb927134db238eafec156866e4096893edc51e359fd73261bb16
Instruction ID: 816a1a3e698bd637942fef8c7187d091b04bffc3947b1da502b4f479bcf8ed7b
Opcode Fuzzy Hash: 64d6fc25387bfb927134db238eafec156866e4096893edc51e359fd73261bb16
Instruction Fuzzy Hash: 2A0181356046009F97148F6EA9D04E2FBE1FBC5620318867BD00AC7625D734A85687A5

Function 014B28C8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62e2372ca3c72ae0443a1c903f43e232866e8fa2443188cde083b4b4c1fc3e1c
Instruction ID: 0bf30a42e594c9e95c5e5ee0152e14333e794a51af457caa9e6785b7e17fd58c
Opcode Fuzzy Hash: 62e2372ca3c72ae0443a1c903f43e232866e8fa2443188cde083b4b4c1fc3e1c
Instruction Fuzzy Hash: AAF0B47630060557D3189A3B99C0D26FADBBBC8660B14C43AE50DC7768DE70EC1187A0

Function 014B2F73 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c49e6cdc80e58da5b0aa2a6ab352a3db693b35b419948d9a2749358d529a7a34
Instruction ID: a89c7f3de7b00e18aa5019704d0ebf09cf5131d9d9fde9ac64237e2db0178c9c
Opcode Fuzzy Hash: c49e6cdc80e58da5b0aa2a6ab352a3db693b35b419948d9a2749358d529a7a34
Instruction Fuzzy Hash: 4FF09B32504554AFC315CF15D8448EABBB5EF86310319C656E845CB125C735FD62CBD0

Function 014B093D Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2eca3520a1e11338e10d23763945aea67163fe108ee84d7f27febc841664114
Instruction ID: 10520341e31a138df30225a2849ab475261f4056b162ba2744e4d2bc79b753f4
Opcode Fuzzy Hash: b2eca3520a1e11338e10d23763945aea67163fe108ee84d7f27febc841664114
Instruction Fuzzy Hash: 2DE08630B142048FC718CE64D5E44AE7B73EBC8351F58952AE002931A4DA7099998B54

Function 014B0839 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bed3bd64847c4ab00d29553d7d186251c590aea3f67394d60bb904e7c3db17f
Instruction ID: 7b9f5ceefa7426d8777f7526e6162487ebdd850879d29f9b5a8be4e5e5e63aa2
Opcode Fuzzy Hash: 5bed3bd64847c4ab00d29553d7d186251c590aea3f67394d60bb904e7c3db17f
Instruction Fuzzy Hash: 6CC08072C403445FD7611B30DD191FC3B6CD75915575D4077D447C8521D17808028700

Function 014B3B8F Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9bfccc1b271a2a6a80a4421698eb3cea999aece1e4f921795808ed682162af
Instruction ID: 397a4f438197e50e05634c60edb8a00a28a827d805ec61c5191e0c47079f26e2
Opcode Fuzzy Hash: af9bfccc1b271a2a6a80a4421698eb3cea999aece1e4f921795808ed682162af
Instruction Fuzzy Hash: 02D022329802024B4304EF2080D04AF3382F78A320BA688AA84426F2A1DD269D02C3A1

Function 014B2159 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d135d6a407a2c1a28b6dc97654bfae68ab45e3d6d34c2a8c5d6957329aae9356
Instruction ID: 126fca3969fa89a554613b0f86d76b5a51a186c7dfef23ef21c8bc9d2853bea2
Opcode Fuzzy Hash: d135d6a407a2c1a28b6dc97654bfae68ab45e3d6d34c2a8c5d6957329aae9356
Instruction Fuzzy Hash: 7CD0C935755305DBD3788B30D691B6676B2BF88700F10595AE6464AAE4D270F551CA01

Function 014B0848 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f436d471153f94ecde4692171382300b17abd003a91e4531079ff5a3ac7439c3
Instruction ID: cfe9cdbfcd21b1e4af609b821ac344b8f90e8bfba6c8f0b832697909e16b1962
Opcode Fuzzy Hash: f436d471153f94ecde4692171382300b17abd003a91e4531079ff5a3ac7439c3
Instruction Fuzzy Hash: 0FA011300002088B82302FA0BA0E0E83B2CAB082023E00022E20E8C2288AB828808B80

Function 014B2010 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ddfd07009eb813432be136d80bc00f95eb6201f4372ac582790afb08263310
Instruction ID: dce99a31be32761f7aff35a69ca6269e8a4caf5a97c3e945662093db2661edbe
Opcode Fuzzy Hash: 90ddfd07009eb813432be136d80bc00f95eb6201f4372ac582790afb08263310
Instruction Fuzzy Hash: 2DC09273215300CB83295A20939A156BA77EBA1A22392591AC006890A4EA36E952CA11

Non-executed Functions

Function 6CE785CA Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6CE785D6
IsDebuggerPresent.KERNEL32 ref: 6CE786A2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CE786BB
UnhandledExceptionFilter.KERNEL32(?), ref: 6CE786C5

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 3b82f883a0d0d8a5f0029ac8667e84d8c5715e1f471bde912a6e1461318b595a
Instruction ID: 1543a555c6b37bf302068c9e22ce0444b8f587660d1aae3cfc88a2a0b26e5244
Opcode Fuzzy Hash: 3b82f883a0d0d8a5f0029ac8667e84d8c5715e1f471bde912a6e1461318b595a
Instruction Fuzzy Hash: 8E31D6B5D052199BDF21DFA4D9497CEBBB8AF18304F1041AAE40DAB340EB719A84CF55

Function 6CE7C567 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6CE7C65F
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6CE7C669
UnhandledExceptionFilter.KERNEL32(C00000EF,?,?,?,?,?,00000000), ref: 6CE7C676

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 433cf2a6fd61441fa9014b846b30951714f6648c8e69c6ee3c41aa5dc1615f8f
Instruction ID: 9c82896edcec90c55e907fdee7ed7524937d197b9d18f7fdd77ce3e98f2dcd40
Opcode Fuzzy Hash: 433cf2a6fd61441fa9014b846b30951714f6648c8e69c6ee3c41aa5dc1615f8f
Instruction Fuzzy Hash: 0531A275901228ABCB21DF68D8887CDBBB8FF48714F6052EAE41CA7250E7709B85CF55

Function 6CE831C5 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6CE831C0,?,?,00000008,?,?,6CE82DC3,00000000), ref: 6CE833F2

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 015240ccb77d8256aec0edb79890ac39a695f179161aca12e61f7b694605bbf0
Instruction ID: d58cb4ca476273816570dc1eaa5e10d45dadd849fdcadc2de6437e5fc7772376
Opcode Fuzzy Hash: 015240ccb77d8256aec0edb79890ac39a695f179161aca12e61f7b694605bbf0
Instruction Fuzzy Hash: F2B127316126089FD715CF28C486B687BF1FF45368F358658E9A9CF6A2C735E982CB40

Function 6CE78788 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CE7879E

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: ab5d3bf7f1e06be6e37d9c34cebe1a942bc3aa074be1b2710b1ee2bd049449c7
Instruction ID: 040de788b89b9d7991695cd9ebb092caf28308ab5daeaf1ef3e3486b98857c8b
Opcode Fuzzy Hash: ab5d3bf7f1e06be6e37d9c34cebe1a942bc3aa074be1b2710b1ee2bd049449c7
Instruction Fuzzy Hash: B4516AB1A092098FEB24CF95D48179EBBF5FB5A318F20856BE419FB790D7749900CB60

Function 6CE7E33C Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CE7E33C

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 018d3f6007abcce539e66783ae41c4c71201096a334d621d56176347fec54d6e
Instruction ID: 6235eca8b193b06d2bd7bada9080f2a9d88add12b14e77067559d1db65355854
Opcode Fuzzy Hash: 018d3f6007abcce539e66783ae41c4c71201096a334d621d56176347fec54d6e
Instruction Fuzzy Hash: 33A011B2302200CF8B00CF3A8A0A30C3ABCAB83A80300802AA008C0020EA208800AF22

Function 6CE775B0 Relevance: .5, Instructions: 537COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de3a5fb8012737ef6fd4f1789e5688abc26317ae8c43666faa2bc886b698806d
Instruction ID: ed88d9a179776ac75a4c938a85fabe134d716b8ccb59f29d61eca015157b645f
Opcode Fuzzy Hash: de3a5fb8012737ef6fd4f1789e5688abc26317ae8c43666faa2bc886b698806d
Instruction Fuzzy Hash: FB12F032E052058FCF1ACEBCD5846DD7BF2EB4B354F208216E425E7768C6298906CF65

Function 0AF02300 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1651054429.000000000AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aef0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2fe6e90d726babe78a73f7f77a5f7a22729ea4b22b4dba574dbd91f6f9fe3f9
Instruction ID: e5d1b9f270d37b18088ab4412818e5325198becf2a970d6659067b5097c7d116
Opcode Fuzzy Hash: d2fe6e90d726babe78a73f7f77a5f7a22729ea4b22b4dba574dbd91f6f9fe3f9
Instruction Fuzzy Hash: A4A11631B046508FCB15CB29C5989BEFBF7AFCA300B18855AD59ADB2A5C770ED41CB60

Function 014B36A0 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c5c4fbda8857f4328f329c53ae2e1342ee79a5d4c8df29ddb3671a08bb84ff
Instruction ID: 000b0fa75ddc8ddbb1af042584d8e443f7c63a75d97ddde431a9a06bac2d1354
Opcode Fuzzy Hash: 64c5c4fbda8857f4328f329c53ae2e1342ee79a5d4c8df29ddb3671a08bb84ff
Instruction Fuzzy Hash: E271C671F142068FCB44CF6AC9C15AEFBF5FB89610B558567D809E7361C234D9428BA2

Function 014B3AB9 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1647944388.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_8bZMO28ywp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98446363aaf695ec5b805aa04ee5fa779e7101ab2b983f4d3d73feb7fc79581a
Instruction ID: 5dd3d610b86ac1df55c53b68f2ecf2b65224314df39a1a08ab642061083e268a
Opcode Fuzzy Hash: 98446363aaf695ec5b805aa04ee5fa779e7101ab2b983f4d3d73feb7fc79581a
Instruction Fuzzy Hash: C761C274D11218CFC754CF99D6C4C9EBBF1BF48204F69C696E426AB262C331E946CB61

Function 6CE79FFA Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 6CE7A119
___TypeMatch.LIBVCRUNTIME ref: 6CE7A227
_UnwindNestedFrames.LIBCMT ref: 6CE7A379
CallUnexpected.LIBVCRUNTIME ref: 6CE7A394

Strings

csm, xrefs: 6CE7A0A4
csm, xrefs: 6CE7A037
csm, xrefs: 6CE7A150

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 3487e42ae68f3b9c07746749d3be45cb3c1d87e03927972817f2f18a5e5608a4
Instruction ID: bceee6cb19a0e5cc2082d9c024ce19a9d91133909755e659dbceda950efc68b3
Opcode Fuzzy Hash: 3487e42ae68f3b9c07746749d3be45cb3c1d87e03927972817f2f18a5e5608a4
Instruction Fuzzy Hash: F0B16676845209EFCF25CFA4C88099EBBB5FF04318F24565AE8106BB11D731EA56CBB1

Function 6CE790A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6CE790D7
___except_validate_context_record.LIBVCRUNTIME ref: 6CE790DF
_ValidateLocalCookies.LIBCMT ref: 6CE79168
__IsNonwritableInCurrentImage.LIBCMT ref: 6CE79193
_ValidateLocalCookies.LIBCMT ref: 6CE791E8

Strings

csm, xrefs: 6CE7917D

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: d02e86546bc11afabad6e6e3ddc6c3879dcbe68d142ad3ac084029581ba85195
Instruction ID: 8b5979b3b7bd1cd554fe7927d8605899760b57539b9b09d5cb300aefa3463f88
Opcode Fuzzy Hash: d02e86546bc11afabad6e6e3ddc6c3879dcbe68d142ad3ac084029581ba85195
Instruction Fuzzy Hash: D241A335A01219DBCF20CF69C884A9E7BB5FF4631CF318159E8159B791D731DA15CBA0

Function 6CE7DF6B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,6CE7E07A,00000000,6CE7B882,00000000,00000000,00000001,?,6CE7E1F3,00000022,FlsSetValue,6CE85CD8,6CE85CE0,00000000), ref: 6CE7E02C

Strings

ext-ms-, xrefs: 6CE7DFD6
api-ms-, xrefs: 6CE7DFC2

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: e347ca3586c7923cb6515c3b599d1b6b2343e25917c2b2dd5d771b54a84c695f
Instruction ID: 1600d488dbbff6e719745da79479c5bdd069f1291611eff989205780dda8b48f
Opcode Fuzzy Hash: e347ca3586c7923cb6515c3b599d1b6b2343e25917c2b2dd5d771b54a84c695f
Instruction Fuzzy Hash: 4121F035B06611AFDB318A659C48A9F7779DF43378F340215E915A7780EB70EA00C6F1

Function 6CE7964C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6CE79281,6CE783A0,6CE77DB9,?,6CE77FF1,?,00000001,?,?,00000001,?,6CE89AD8,0000000C,6CE780EA), ref: 6CE7965A
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CE79668
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CE79681
SetLastError.KERNEL32(00000000,6CE77FF1,?,00000001,?,?,00000001,?,6CE89AD8,0000000C,6CE780EA,?,00000001,?), ref: 6CE796D3

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8518c95c21bc3773feeab47624e8e798df368887363c42b18e798679cb8c872b
Instruction ID: f096940d65d11bd86b93cc749f1a12ba4147dadd6e767521870adfbcada44c38
Opcode Fuzzy Hash: 8518c95c21bc3773feeab47624e8e798df368887363c42b18e798679cb8c872b
Instruction Fuzzy Hash: CF01717620D716AEEA281AF97D8499A2A78EF4377D730033EE52086AE0EB514805D274

Function 6CE7D19E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\8bZMO28ywp.exe, xrefs: 6CE7D1BA

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\8bZMO28ywp.exe
API String ID: 0-1537748836
Opcode ID: e0b7fd87877bb0bd2ac98c7d791870838a73b4763328c7695f5a51ee6e33b4e3
Instruction ID: 50215ae60eabb534f107b847a0af1d37475c367b732865d32e9d611f5c538f82
Opcode Fuzzy Hash: e0b7fd87877bb0bd2ac98c7d791870838a73b4763328c7695f5a51ee6e33b4e3
Instruction Fuzzy Hash: 5C21BE35204245AFDB20AF758850D8A7BBDEF4636C7244618E919D7E00E730EA02D7B0

Function 6CE7B1B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,ABEFAE5B,00000000,?,00000000,6CE83AC2,000000FF,?,6CE7B14A,?,?,6CE7B11E,?), ref: 6CE7B1E5
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CE7B1F7
FreeLibrary.KERNEL32(00000000,?,00000000,6CE83AC2,000000FF,?,6CE7B14A,?,?,6CE7B11E,?), ref: 6CE7B219

Strings

mscoree.dll, xrefs: 6CE7B1DE
CorExitProcess, xrefs: 6CE7B1EF

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ce8fa1496b07aebbf11a4f5e19285a3f1c0f1ee629486c52bda9a9736a559787
Instruction ID: f8ef4acc1e96531a1a34996e859cdbf77c12cb68dd731d01838e36794eb54cc6
Opcode Fuzzy Hash: ce8fa1496b07aebbf11a4f5e19285a3f1c0f1ee629486c52bda9a9736a559787
Instruction Fuzzy Hash: 85018632A16559EFDF118F94CC08FAF7BBCFB05715F214926F822A2790DB759900CA51

Function 6CE7FC35 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6CE7FCBA
__alloca_probe_16.LIBCMT ref: 6CE7FD83
__freea.LIBCMT ref: 6CE7FDEA

Part of subcall function 6CE7EDCB: HeapAlloc.KERNEL32(00000000,6CE7D717,?,?,6CE7D717,00000220,?,00000000,?), ref: 6CE7EDFD

__freea.LIBCMT ref: 6CE7FDFD
__freea.LIBCMT ref: 6CE7FE0A

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 13664ac13924f949328f31b64cc894099c6612733009c8adaa2ae9393ea32d40
Instruction ID: e2916e716350dc8793867df89d8d76817d07aa533c5cbc6b02b8bbd12493c68d
Opcode Fuzzy Hash: 13664ac13924f949328f31b64cc894099c6612733009c8adaa2ae9393ea32d40
Instruction Fuzzy Hash: 1D51A272601246AFEB208E64DD80EEB36B9EF8565CB31052DFD14D7B10E738D954C6B0

Function 6CE79C22 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6CE79BD3,00000000,?,00000001,?,?,?,6CE79CC2,00000001,FlsFree,6CE853B0,FlsFree), ref: 6CE79C2F
GetLastError.KERNEL32(?,6CE79BD3,00000000,?,00000001,?,?,?,6CE79CC2,00000001,FlsFree,6CE853B0,FlsFree,00000000,?,6CE79721), ref: 6CE79C39
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6CE79C61

Strings

api-ms-, xrefs: 6CE79C46

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 1d85fddcb89fe7675f9e4b8752ce79690428c21f068a42c647e43c6c92ec7ccf
Instruction ID: 8b73f086f2d3c67b073eebeee80a717b13a6f9a920c19ddf24f4a3276f648b03
Opcode Fuzzy Hash: 1d85fddcb89fe7675f9e4b8752ce79690428c21f068a42c647e43c6c92ec7ccf
Instruction Fuzzy Hash: 7FE04830745208FBEF201A61DC55B493EBDEF01758F304465F90DA89D5D7729410C5A6

Function 6CE80342 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(ABEFAE5B,00000000,00000000,?), ref: 6CE803A5

Part of subcall function 6CE7DD6C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CE7FDE0,?,00000000,-00000008), ref: 6CE7DDCD

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6CE805F7
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CE8063D
GetLastError.KERNEL32 ref: 6CE806E0

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 4e01705be1a16dad73aefca780764da0b1b59c5f72e47c42404fe1aec2cad89b
Instruction ID: d91641e30c2e38f11be1d611be46baf1bef767bf23a9a5a0237ff4ab6c509678
Opcode Fuzzy Hash: 4e01705be1a16dad73aefca780764da0b1b59c5f72e47c42404fe1aec2cad89b
Instruction Fuzzy Hash: 86D16C75E026889FCF11CFA8C880AEDBBB4FF49314F24456AE429EBB51D730A941CB50

Function 6CE79DA3 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6CE79E6A
___AdjustPointer.LIBCMT ref: 6CE79E8D
___AdjustPointer.LIBCMT ref: 6CE79F29

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 2528bb2112e59d2ec4021055c11172498eac2ccfe41b680e38698f54a84fda7a
Instruction ID: b652f86a775055ffd88eb429a8920986a01d3076e7b0f646e427114d46f370cc
Opcode Fuzzy Hash: 2528bb2112e59d2ec4021055c11172498eac2ccfe41b680e38698f54a84fda7a
Instruction Fuzzy Hash: 7651AC72606606AFEB398F54D940BAA77B5EF02318F34452EE85587B90E731E881C7B0

Function 6CE7C9B8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6CE7DD6C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CE7FDE0,?,00000000,-00000008), ref: 6CE7DDCD

GetLastError.KERNEL32 ref: 6CE7CA1C
__dosmaperr.LIBCMT ref: 6CE7CA23
GetLastError.KERNEL32(?,?,?,?), ref: 6CE7CA5D
__dosmaperr.LIBCMT ref: 6CE7CA64

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: d1ed3cc0f68d6d952c6cb14bf48e64ec062b2a2fd8b0304135c691390500a9a8
Instruction ID: f4956f1a6d640d454d0c3c7f3b5f4c206c5b3b6b9b1afa6a42672c33644943ca
Opcode Fuzzy Hash: d1ed3cc0f68d6d952c6cb14bf48e64ec062b2a2fd8b0304135c691390500a9a8
Instruction Fuzzy Hash: F1219271704605AF9B20EF76889095ABBBDFF463AD724851DE81A97B00E730ED41C7B0

Function 6CE7DE0F Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6CE7DE17

Part of subcall function 6CE7DD6C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CE7FDE0,?,00000000,-00000008), ref: 6CE7DDCD

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CE7DE4F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CE7DE6F

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: c80b72317d1f86faec6d1903d66ddbd5da3e5ddb0e2bb4067d05adcd2f6cba78
Instruction ID: 380c41f02990d965f75579cf69b337ee5c77a2373c65c7936f642c6736391fd9
Opcode Fuzzy Hash: c80b72317d1f86faec6d1903d66ddbd5da3e5ddb0e2bb4067d05adcd2f6cba78
Instruction Fuzzy Hash: 1B11C2BAA056157EA72267B68C89CEF7A7CCFA729C3240519F501D1700EB249E05C1B0

Function 6CE81CB6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6CE81476,00000000,00000001,00000000,?,?,6CE80734,?,00000000,00000000), ref: 6CE81CCD
GetLastError.KERNEL32(?,6CE81476,00000000,00000001,00000000,?,?,6CE80734,?,00000000,00000000,?,?,?,6CE80CD7,00000000), ref: 6CE81CD9

Part of subcall function 6CE81C9F: CloseHandle.KERNEL32(FFFFFFFE,6CE81CE9,?,6CE81476,00000000,00000001,00000000,?,?,6CE80734,?,00000000,00000000,?,?), ref: 6CE81CAF

___initconout.LIBCMT ref: 6CE81CE9

Part of subcall function 6CE81C61: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CE81C90,6CE81463,?,?,6CE80734,?,00000000,00000000,?), ref: 6CE81C74

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6CE81476,00000000,00000001,00000000,?,?,6CE80734,?,00000000,00000000,?), ref: 6CE81CFE

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 4788c9e4fb4c717814ecfe383233035163dd315336bf27450093a7a343b1c074
Instruction ID: 92f83202844c900307e02a1ffa9fd4f72a40b96c420a982de40c029f60a95e54
Opcode Fuzzy Hash: 4788c9e4fb4c717814ecfe383233035163dd315336bf27450093a7a343b1c074
Instruction Fuzzy Hash: 2EF01C36202114BBCF121FD5DC04A8E3F7BFF4B3A6B144018FA2C95620C632C920DB91

Function 6CE80BF5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 196fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CE80342: GetConsoleOutputCP.KERNEL32(ABEFAE5B,00000000,00000000,?), ref: 6CE803A5

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,6CE7EC52,?), ref: 6CE80D7A
GetLastError.KERNEL32(?,6CE7EC52,?,l,00000000,?,00000000,6CE7EAE5,?,00000000,00000000,6CE89F00,0000002C,6CE7EB56,?), ref: 6CE80D84

Strings

Rl, xrefs: 6CE80CFC, 6CE80DA5

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID: Rl
API String ID: 2915228174-3514009068
Opcode ID: 4359108d9aaf7656185f37cc98f70869b2905e76046d5dbff7bcd88ed4def6aa
Instruction ID: 402e62358c5d9d28570b8d3256e2143a6144fb5a152981061fb30cfeb191d422
Opcode Fuzzy Hash: 4359108d9aaf7656185f37cc98f70869b2905e76046d5dbff7bcd88ed4def6aa
Instruction Fuzzy Hash: 6F619371907199AFDF01CFA8C944AEE7FB9BF4A30CF240149E818A7655D375D905CBA0

Function 6CE7A39F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 6CE7A3C4

Strings

MOC, xrefs: 6CE7A3D6
RCC, xrefs: 6CE7A3DE

Memory Dump Source

Source File: 00000000.00000002.1651135888.000000006CE61000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE60000, based on PE: true

Associated: 00000000.00000002.1651094316.000000006CE60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651191811.000000006CE84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651216576.000000006CE8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1651252651.000000006CEA8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce60000_8bZMO28ywp.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: aab83c21c6bfbb86ade6e16408c33481942ea8b87de2de8d672c1b26d853be15
Instruction ID: c5650e6a85680bf957c436931bba501eafd1ba9d67b472e729566b7cfda63bec
Opcode Fuzzy Hash: aab83c21c6bfbb86ade6e16408c33481942ea8b87de2de8d672c1b26d853be15
Instruction Fuzzy Hash: 7C417D32900249AFCF15CF94CC84AEEBBB5FF48308F249199F919A7611E336D961DB61

Analysis Process: MSBuild.exePID: 4124, Parent PID: 6840COMMON

Executed Functions

Function 064DC580 Relevance: 1.9, Strings: 1, Instructions: 604COMMON

Download Yara Rule

Strings

(_^q, xrefs: 064DC78A

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID: (_^q
API String ID: 0-538443824
Opcode ID: ef6bc440ebb6b1a6b8c0c44617e5366ef9b61ce56fa4a7fedb878d1005b6ccff
Instruction ID: 1d6c805c31e5c8141b518d180ac2e3e1883ee7d909de999e689b49577c61e16f
Opcode Fuzzy Hash: ef6bc440ebb6b1a6b8c0c44617e5366ef9b61ce56fa4a7fedb878d1005b6ccff
Instruction Fuzzy Hash: 9B32B235E002148FCB45DF69C5A4AAEBBF6FF89310F1580AAE805AB351DB75DD41CBA0

Function 064D67F4 Relevance: 1.5, Strings: 1, Instructions: 243COMMON

Download Yara Rule

Strings

(_^q, xrefs: 064D69F2

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID: (_^q
API String ID: 0-538443824
Opcode ID: e985ad4aee14f70c1fb18d2072129fa839b9a30694d5e0e528166f94c9107118
Instruction ID: d9ebdbb2e0a87b5625e4e98a5868570feba038eee7adbfb744ba2771630143ab
Opcode Fuzzy Hash: e985ad4aee14f70c1fb18d2072129fa839b9a30694d5e0e528166f94c9107118
Instruction Fuzzy Hash: 53A16C34E10219CFDB54DF69C894AAEBBB2FF89304F15856AE405AB350EF30A985CF50

Function 06508221 Relevance: 1.0, Instructions: 1024COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c036e03961dd465c06f774f7498a36b7fc9153822f8294b7b45a6966595916
Instruction ID: 55813e4129c3bac7bdfccbcaf53999bbd7203124a1fbaaa584ffd2994dc25bb4
Opcode Fuzzy Hash: d8c036e03961dd465c06f774f7498a36b7fc9153822f8294b7b45a6966595916
Instruction Fuzzy Hash: F4425565507A917FFFA08AB4EC04CF77F5CFB592A57094988F982B62D2C711E6018AF0

Function 064D9068 Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e84751bd55e26116260170c2b4d7526d3845dd7ff63774acc3eba5b7d68133
Instruction ID: 717aadeea9975e1c3850b5daa3ab91642b6fb59d95d457dba2743c582927dbc2
Opcode Fuzzy Hash: 35e84751bd55e26116260170c2b4d7526d3845dd7ff63774acc3eba5b7d68133
Instruction Fuzzy Hash: 7102A034F002189FDB59EB78C864AAEBBF6EF89310F148469E405E7395DB359C46CB90

Function 064D22A0 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd68999290cdee372366397383b6026f6d50404b52c7d714d62b536fb217cdd
Instruction ID: e85196684c05b7a7bf5cc922048b081777b23486889ad9091fafc77fb9c21f98
Opcode Fuzzy Hash: 2dd68999290cdee372366397383b6026f6d50404b52c7d714d62b536fb217cdd
Instruction Fuzzy Hash: D7126C30E10319CFDB55DF68C854B9ABBB2BF84304F148599E909AB351DB71EE86CB90

Function 012009FF Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb42ac553625b9331655ba2c18896884169bbab89d91e089667a3e07b9593fc0
Instruction ID: d3ef3837c0277292ba68f5f404dea4064347be3159f15eac0fe13f8ed33045ef
Opcode Fuzzy Hash: fb42ac553625b9331655ba2c18896884169bbab89d91e089667a3e07b9593fc0
Instruction Fuzzy Hash: 3EE1FA74A403099FDB88EBA4C994ABEBAB7FF88204F508518E415BB394CF359C46DF15

Function 01200A10 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3190ffc2518ef51eb5b6e55aad6233055d8daf7bdf42bf1e6f16f35c9b3e115c
Instruction ID: 5e941aecec9d44850d53d42b81276336d37446390ba647ce5c32ea99160a9569
Opcode Fuzzy Hash: 3190ffc2518ef51eb5b6e55aad6233055d8daf7bdf42bf1e6f16f35c9b3e115c
Instruction Fuzzy Hash: ADE1FA74A403099FDB88EBA4C994BBEBAB7FF88204F508518E415BB394CF359C45DB15

Function 01204418 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d09753511627978532e587bfdc32924fa9953a71df58b9c5375e283e1e78f3
Instruction ID: cab4588261f6d8698418566cabb86c926f803a812b31b5e374800eddfe2f2c39
Opcode Fuzzy Hash: 68d09753511627978532e587bfdc32924fa9953a71df58b9c5375e283e1e78f3
Instruction Fuzzy Hash: B9B1A070E1024ACFDF15DFA8D8857EDBBF2AF88304F14C229DA15A7295EB749845CB81

Function 01204CE8 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d5742c2fd4d88957c1699d203e9efc37fc3154a8b245c039a29a889bf8ea30
Instruction ID: a7ef69c3f120b005cca3b41b0a717ba93bc8355d04fb98624cbfb7ec405e66b9
Opcode Fuzzy Hash: c2d5742c2fd4d88957c1699d203e9efc37fc3154a8b245c039a29a889bf8ea30
Instruction Fuzzy Hash: EDB17070E1024A8FDF11DFA9C88579DBBF2AF88314F14C229DA15E7295EB749885CB81

Function 012018C8 Relevance: 10.2, Strings: 8, Instructions: 194COMMON

Download Yara Rule

Strings

[^\u0020-\u007F]Profilesmoz_cookies, xrefs: 01201ACC
$^q, xrefs: 012019CF
DisplayName, xrefs: 01201998
$^q, xrefs: 01201A4E
DisplayVersion, xrefs: 01201A03
$^q, xrefs: 012019DB
$^q, xrefs: 01201A42
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 01201905

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID: DisplayName$DisplayVersion$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$[^\u0020-\u007F]Profilesmoz_cookies$$^q$$^q$$^q$$^q
API String ID: 0-81219223
Opcode ID: 964b7b51a59a762cfb3ac114269ef0c3c14a73094f47b0d1cd5bcf5ed5190a82
Instruction ID: 03c62ff88f0181030c03c56cf3abb63ffca8d42be1533f87a20db0b7abe8d01c
Opcode Fuzzy Hash: 964b7b51a59a762cfb3ac114269ef0c3c14a73094f47b0d1cd5bcf5ed5190a82
Instruction Fuzzy Hash: 6271C731A1070A9BDB16EF75C45436AB7F2BF99300F108629D446AB386EF75DD81C790

Function 01201C20 Relevance: 6.5, Strings: 5, Instructions: 239COMMON

Download Yara Rule

Strings

ProcessId, xrefs: 01201D81
, Name: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 01201DE5
ID: CommandLine, xrefs: 01201D4F
NameUNKNOWN, xrefs: 01201E24
, CommandLine: , xrefs: 01201E74

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID: , CommandLine: $, Name: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$ID: CommandLine$NameUNKNOWN$ProcessId
API String ID: 0-612052362
Opcode ID: 8add1b3741756aa07523583296b1a94e692e00741dd76a18a793f8bf25c34a1c
Instruction ID: 78d782415003dc19f736dd4c353b25c87eee690511ca226691231096d00f142b
Opcode Fuzzy Hash: 8add1b3741756aa07523583296b1a94e692e00741dd76a18a793f8bf25c34a1c
Instruction Fuzzy Hash: B581A430A103069BD71AEF78C85426AB7B6BF95300B208A3DE50AAB795DF75DC45C790

Function 01201C48 Relevance: 6.5, Strings: 5, Instructions: 235COMMON

Download Yara Rule

Strings

ProcessId, xrefs: 01201D81
, Name: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 01201DE5
ID: CommandLine, xrefs: 01201D4F
NameUNKNOWN, xrefs: 01201E24
, CommandLine: , xrefs: 01201E74

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID: , CommandLine: $, Name: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$ID: CommandLine$NameUNKNOWN$ProcessId
API String ID: 0-612052362
Opcode ID: e750f444b19d821ca1af0c96db21d5f7387a0cf2cdf709eb0eebd3d562ab56b6
Instruction ID: 97c6530fae424ab0d933c8d262fd9ae82983e02d9013447049b6b0f78d4f4771
Opcode Fuzzy Hash: e750f444b19d821ca1af0c96db21d5f7387a0cf2cdf709eb0eebd3d562ab56b6
Instruction Fuzzy Hash: 01819030B103069FD719EF78C85426AB7A6AF99300B608A3DE40AEB795EF71DC41C790

Function 012018B9 Relevance: 5.1, Strings: 4, Instructions: 141COMMON

Download Yara Rule

Strings

[^\u0020-\u007F]Profilesmoz_cookies, xrefs: 01201ACC
$^q, xrefs: 012019CF
$^q, xrefs: 01201A42
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 01201905

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$[^\u0020-\u007F]Profilesmoz_cookies$$^q$$^q
API String ID: 0-142524215
Opcode ID: 9c8230e46aefa0adcf008a74c693346e29554a2670806ea62aba819792a2e3ed
Instruction ID: bb583073d2a4866367fedc7ec3da95cbe4f91ece414076acf5205e32bef7f580
Opcode Fuzzy Hash: 9c8230e46aefa0adcf008a74c693346e29554a2670806ea62aba819792a2e3ed
Instruction Fuzzy Hash: CF51A330A2170ADFDB16DF74C4507AAB7F2BF99304F108629E406AB292EB75DD91C781

Function 065061D0 Relevance: 4.1, Strings: 3, Instructions: 365COMMON

Download Yara Rule

Strings

(bq, xrefs: 065066B6
(bq, xrefs: 06506361
(bq, xrefs: 065063AF

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq
API String ID: 0-2716923250
Opcode ID: 32bbf6bf73832bf2ea0ef097135f9909333cc10278a2ecdc07e017407c3231a8
Instruction ID: b14cb319f5b261fe1f2e72c15f1654c5775d9644a4fbada25793a5637a333a7f
Opcode Fuzzy Hash: 32bbf6bf73832bf2ea0ef097135f9909333cc10278a2ecdc07e017407c3231a8
Instruction Fuzzy Hash: E5C19C32A042654FD755DB68C84066EBFA1FFC2304B28C5AAD469DB2C6CB32DD52CBD4

Function 01201B42 Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

[^\u0020-\u007F]Profilesmoz_cookies, xrefs: 01201ACC
$^q, xrefs: 012019CF
$^q, xrefs: 01201A42

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID: [^\u0020-\u007F]Profilesmoz_cookies$$^q$$^q
API String ID: 0-3622219575
Opcode ID: 22785801a09001b3344acad99a7a8883d4227b77cb92b54c33873811819a7b11
Instruction ID: 844dbc4051a7252a4f774039e88862c4fdad6a73cd5a9f1513d37e6c1fbddce5
Opcode Fuzzy Hash: 22785801a09001b3344acad99a7a8883d4227b77cb92b54c33873811819a7b11
Instruction Fuzzy Hash: E041A430A2070ADFDB26DF74C1957AEB7F2BF48304F108629D406A7282EB74D995CB90

Function 064DE138 Relevance: 2.8, Strings: 2, Instructions: 300COMMON

Download Yara Rule

Strings

(_^q, xrefs: 064DE2CD
4'^q, xrefs: 064DE487

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID: (_^q$4'^q
API String ID: 0-2508332758
Opcode ID: fc9ac9362eec54302fc46082f6d6ac273c14c024d9b6a1c4c71e398bf338d98e
Instruction ID: 27d8866bd793230f41dc4910e3af859f47dc7e933a1cb73317842acc4b5dac56
Opcode Fuzzy Hash: fc9ac9362eec54302fc46082f6d6ac273c14c024d9b6a1c4c71e398bf338d98e
Instruction Fuzzy Hash: 1BB19F30A102088FCB15EFB5D868AAEBFB6FF85350F14846AE406AB350DF759845CB91

Function 064DA782 Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

d, xrefs: 064DA9E3
(bq, xrefs: 064DA78C

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID: (bq$d
API String ID: 0-3334038649
Opcode ID: 563535f03367e50ce76ed60be29c34b52aa129479905cfbc999202b16178c955
Instruction ID: d956231acc0d515563c53741a4fa868fb9dd07863ce46634f0307d279883c62c
Opcode Fuzzy Hash: 563535f03367e50ce76ed60be29c34b52aa129479905cfbc999202b16178c955
Instruction Fuzzy Hash: DFC15A34A00602CFCB15CF59C59096AB7F2FF88314B25CA5AE45A9B765DB34FC86CB80

Function 064DAA58 Relevance: 2.7, Strings: 2, Instructions: 239COMMON

Download Yara Rule

Strings

xbq, xrefs: 064DAC0B
xbq, xrefs: 064DABD3

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID: xbq$xbq
API String ID: 0-4275011135
Opcode ID: b3072bd2fb3772a8feec54a45e275cbaeda10bf00dc1ad72d1d5792843b56014
Instruction ID: 7b428897ee3ef0de02d5680769b5f4a78d0ffba92def94270826f1dd02b42b3a
Opcode Fuzzy Hash: b3072bd2fb3772a8feec54a45e275cbaeda10bf00dc1ad72d1d5792843b56014
Instruction Fuzzy Hash: 4D91AD30A003058FCB59DF39C950A9ABBF2FF89314B24896ED0569B351DB31E846CB90

Function 064D2C28 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

(bq, xrefs: 064D2CF1
(bq, xrefs: 064D2CA3

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: d4f44ae9d5e851e67c6dc760c41e06d511cae0e32359abb8793f4f783c0f485d
Instruction ID: 6ffe0c0b234c0f40382a16fc3223aac8cb4c0347b1fdcd4c705f828ea97d5394
Opcode Fuzzy Hash: d4f44ae9d5e851e67c6dc760c41e06d511cae0e32359abb8793f4f783c0f485d
Instruction Fuzzy Hash: FE511E35B043415FC75AAB79982466FBFE6EFC6240B14896AD902DB381DF75CC09C7A0

Function 0120D480 Relevance: 2.6, Strings: 2, Instructions: 86COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0120D558
4'^q, xrefs: 0120D546

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: d5adf99e22747668b8c929619baac425cab147a3e0f8290871b54eba0aa6337c
Instruction ID: 0d327b27f727773c2f0928d0ecca86dcbba565563feb5f908f2a1083846263ca
Opcode Fuzzy Hash: d5adf99e22747668b8c929619baac425cab147a3e0f8290871b54eba0aa6337c
Instruction Fuzzy Hash: FD21EC387903194FC319AB79A52922F7FE6EFC5210B109979E50A87385EF34DC058781

Function 0120DAC0 Relevance: 2.0, Instructions: 1978COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be6f3ae7cf649122e7a3d3632416b7739a4017645bffddfd8c67ec1f5775c29
Instruction ID: 81b565a2b0c8ba283e541e400c167147141b7c343b0e82910d6b67c1c1be86a9
Opcode Fuzzy Hash: 3be6f3ae7cf649122e7a3d3632416b7739a4017645bffddfd8c67ec1f5775c29
Instruction Fuzzy Hash: CF233276A02604DFCF66AFA0CA28659B732FB5A345B20847BDD4223764CB7A8D51DF01

Function 0120DAB0 Relevance: 2.0, Instructions: 1977COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f70b1143d98f4152198137f8cf60f9af5631cd6c7c6252844a864bbcddabd4
Instruction ID: 7e47d8b66c03d49e2db95e975e807ba281846ea63e882f91495174a7853be5c3
Opcode Fuzzy Hash: b9f70b1143d98f4152198137f8cf60f9af5631cd6c7c6252844a864bbcddabd4
Instruction Fuzzy Hash: 5B233276A02604DFCF66AFB0CA28659B732FB5A345B20847BDD4223764CB7A8D51DF01

Function 0650C7E8 Relevance: 1.6, Strings: 1, Instructions: 354COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0650CB6E

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: bfa6bbb57870895374e29664af79697e53ca1c79ba7922cbaebaa048917e186e
Instruction ID: 201857a11feac570e24bbf9a39be399b7856d599628eeb25d6c4c20c096bf4b1
Opcode Fuzzy Hash: bfa6bbb57870895374e29664af79697e53ca1c79ba7922cbaebaa048917e186e
Instruction Fuzzy Hash: 96D1AD34B002059FDB54DF69D884AAEBBF2FF89310F148669E9159B3A5DB30EC45CB90

Function 06498C40 Relevance: 1.6, Strings: 1, Instructions: 320COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06498E04

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 2b0929d8fd4c5e3fee695feaf305446f57cf4d678f57eb6a9c43cff4bb49d1ce
Instruction ID: eed5666d4ceeb0d2463af25f162b855c4f84b0851a3b759fa2218cf75f1f421b
Opcode Fuzzy Hash: 2b0929d8fd4c5e3fee695feaf305446f57cf4d678f57eb6a9c43cff4bb49d1ce
Instruction Fuzzy Hash: 1FB1E135B002159FCB48AF6DD99096EBFA6FFC5310B548A6AE519DB341DB30EC05CBA0

Function 064DBF18 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

(_^q, xrefs: 064DC1C1

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID: (_^q
API String ID: 0-538443824
Opcode ID: ee03ef4d27aa941c34d045508b87a1da7ddeef0fd020b2d0c8e62f93d8efaa0d
Instruction ID: 9a38324d101e3049b474b102bc5c4f822623a8d924ec45630ccb432ee8ce54f4
Opcode Fuzzy Hash: ee03ef4d27aa941c34d045508b87a1da7ddeef0fd020b2d0c8e62f93d8efaa0d
Instruction Fuzzy Hash: 5091AE35F002149FCB55DFB8C4A45AEBBF6FF8A250F14856AE805EB350DB31A945CB90

Function 06508F58 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

(bq, xrefs: 06508F9C

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: d4d33f0e1bd73da5c651286ed0c630f2078be5d2d46cc15ef620e3c62b501b4e
Instruction ID: b5745f55b82609946b0c76d38c783638babd6137ac67197eb055f3ecdfc6345e
Opcode Fuzzy Hash: d4d33f0e1bd73da5c651286ed0c630f2078be5d2d46cc15ef620e3c62b501b4e
Instruction Fuzzy Hash: 7391DD30A042059FCB54DF79C894AAEBBF6FF89310B148469E515D73A6DB30ED05CB91

Function 0650CECD Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

(bq, xrefs: 0650D2D0

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: e234181fb2575085983d109332e8d75e4073369d61fb64e9e5e7fe65614ae44c
Instruction ID: 913b5cc61952c371ae849c1086d85a495d279c8f495d55d025ac9937db3a1f2e
Opcode Fuzzy Hash: e234181fb2575085983d109332e8d75e4073369d61fb64e9e5e7fe65614ae44c
Instruction Fuzzy Hash: 66816C34B002149FDB54DFA8D894AAEBBF6FF88310F148569E9169B395DB31DC42CB90

Function 064DDED0 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

(_^q, xrefs: 064DDF90

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID: (_^q
API String ID: 0-538443824
Opcode ID: 02cc8c224b494ff341c6e7a37c720b914656698d5fb6d4bddc33c532bc6aa9c9
Instruction ID: f86c1943839ed56b7c29a9710034b6a563a3736b47bfbcdd8668781ec6eca611
Opcode Fuzzy Hash: 02cc8c224b494ff341c6e7a37c720b914656698d5fb6d4bddc33c532bc6aa9c9
Instruction Fuzzy Hash: 2051CE34F007158FC755AB39D8A4A6B7BE6EF86254B14486EE506CB355DF31EC01C790

Function 01208780 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

4'^q, xrefs: 01208931

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 55f5539cb6409052a1f4ef1435296669b3fe9223ee06bdb8a53e05ebbab32d47
Instruction ID: 912de5364d29a47220737ff1cb4943b00b450d35d745ecab44f927f356ee6712
Opcode Fuzzy Hash: 55f5539cb6409052a1f4ef1435296669b3fe9223ee06bdb8a53e05ebbab32d47
Instruction Fuzzy Hash: BA514172914309AFCB05EFA8E8867AB7FB1EF81304F4455A9E005CB392EF709945C751

Function 0650F6F8 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

Hbq, xrefs: 0650F7C6

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 33a557aeecc1c9e45a30a8295859120da5068d85917680cec7e4b7d10bbd9141
Instruction ID: d07eea147be477c8d1aa0fbc66684e2c09be49955bac56f9c5579079c26dc48a
Opcode Fuzzy Hash: 33a557aeecc1c9e45a30a8295859120da5068d85917680cec7e4b7d10bbd9141
Instruction Fuzzy Hash: 2541CD35B002169FDB15DF79D8449AEBBB6FFC8210B14806AE909C73A1DB30DC02CBA1

Function 06502541 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

(bq, xrefs: 06502681

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: b368941b0402f40d216ac3ce397b7b60cea525f523b7e267c1d919d44cbf3fa3
Instruction ID: 3f994f055c0177c359cc49263f386d00d597c14533d66a77c27506c3874a7701
Opcode Fuzzy Hash: b368941b0402f40d216ac3ce397b7b60cea525f523b7e267c1d919d44cbf3fa3
Instruction Fuzzy Hash: 4C41F135B043949FDB559B78D8286AE7FF6BF8A210F1440AAD405EB392CE35DD41CBA0

Function 0649DE70 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0649DE8D

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 0daca922fc42c7961da8fde2854586354816278348ce0d85936258aaa8aa1eb2
Instruction ID: 4cc95407c75645a62bea5f5a69e582bc87382011cd8887d33661d7fb0fe1ce6f
Opcode Fuzzy Hash: 0daca922fc42c7961da8fde2854586354816278348ce0d85936258aaa8aa1eb2
Instruction Fuzzy Hash: FA31EC30A047408FC7599B3989506ABBFE6EF85304F04847AE99AC7359DF32EC498761

Function 06498DE1 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06498E04

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: fbefffb353048ec5dc8dbd4ec502fb61761a1c2aec0af06feb6f698a99e5e009
Instruction ID: 541e748d572928730fea818bd1aaafd8ee5cc63ad8d1a0a9904911d03e910512
Opcode Fuzzy Hash: fbefffb353048ec5dc8dbd4ec502fb61761a1c2aec0af06feb6f698a99e5e009
Instruction Fuzzy Hash: 6F314D30E40616AFCF48DF6DC9509AEBFB5FB45610B108A2AE425EB350DB30AD458BE1

Function 0649DE6E Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0649DE8D

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 37d169c125b3597d189c2cea1dc732c5b4116f7a71101e5a092d934e5a5c80d7
Instruction ID: f7fb3b82bd46364820d64afd1fe3a63e68133e77b097552702f98ce7aee30815
Opcode Fuzzy Hash: 37d169c125b3597d189c2cea1dc732c5b4116f7a71101e5a092d934e5a5c80d7
Instruction Fuzzy Hash: 8921AD30A007008FD7698F69D9846ABBFEAFFC4304F04843AE59AC7359DF71A8488760

Function 064D5BDF Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

4'^q, xrefs: 064D5C16

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: d9fd9dfa7903a33be15f029640449f5b37d33d01f62e00d5f08dd4b5e4da4b6b
Instruction ID: ef19a10d2261c9e8c1f4545a6aed6f7745e23a1d517e1a01274b8869d439b8a0
Opcode Fuzzy Hash: d9fd9dfa7903a33be15f029640449f5b37d33d01f62e00d5f08dd4b5e4da4b6b
Instruction Fuzzy Hash: 162108303403419FC7559B28D950A9BBBA2FFC0310F50993AE0568BB94CF70EC8ACB90

Function 06503750 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

(_^q, xrefs: 06503918

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID: (_^q
API String ID: 0-538443824
Opcode ID: f72e06a147cf5290ce9fd11d350b90bd692041294ca9ade44e9237066ed4bb35
Instruction ID: 23d32790dc7821f21e08ebd2e1a114bd8350adde52e99e9e80f5bd0f9749b66a
Opcode Fuzzy Hash: f72e06a147cf5290ce9fd11d350b90bd692041294ca9ade44e9237066ed4bb35
Instruction Fuzzy Hash: 9011A1363501248FCB456FB8E418A9D7FE6EB8832070444A5F20AC7761CE36DC10D745

Function 01201B8E Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

c, xrefs: 01201BD0

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID: c
API String ID: 0-1244939750
Opcode ID: ca21c9812dabb7b65e45c6956ecc4f8e4144876d0e4bcefe079a772028bfb899
Instruction ID: dbcaf84e0bf9afb1fa3421273c5190fb64420f9574e3bc31465574531c07f78f
Opcode Fuzzy Hash: ca21c9812dabb7b65e45c6956ecc4f8e4144876d0e4bcefe079a772028bfb899
Instruction Fuzzy Hash: 1C012D397607015FC706AB5898403AEBBA2FBC8320F644519E51167385EB70BC1647C1

Function 01201B97 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

c, xrefs: 01201BD0

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID: c
API String ID: 0-1244939750
Opcode ID: bc962600a5bfaf4c1f4ef40782558636b312f1342ae2f170605c8cdf90d2111b
Instruction ID: af4617fbaa9d6d47eae7b21e5b2093c933df015047d8e213b5d7f596cf5c14d6
Opcode Fuzzy Hash: bc962600a5bfaf4c1f4ef40782558636b312f1342ae2f170605c8cdf90d2111b
Instruction Fuzzy Hash: 7AF042397503111FC705AB58984036EB7A3FBC8320F544529E5106B385EF70BC1647C1

Function 012088F0 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

4'^q, xrefs: 01208931

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: c3351649a6d22855b3d0b57ee1339680777ca494ae6817899bdad561d47db797
Instruction ID: 1c67999ec353f397bcaaf826b623135761c53feaf63be76e585c757b75a2273d
Opcode Fuzzy Hash: c3351649a6d22855b3d0b57ee1339680777ca494ae6817899bdad561d47db797
Instruction Fuzzy Hash: CC018B30910309EFCB04EFB4E68A69EBFB0FB80201F5015A8E40597394EF305E49DB41

Function 0650F628 Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0650F632

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 99738882a8d57759823826c7136c74a12642e8fb0dd03b398749415db65234d0
Instruction ID: 07d27d1301e8074d8828f5cbf1890885b9b1f3486a90b0d9c802780cb00f8756
Opcode Fuzzy Hash: 99738882a8d57759823826c7136c74a12642e8fb0dd03b398749415db65234d0
Instruction Fuzzy Hash: F9F0A7357112146FD718AA1AD855F6BBBAFFBC9720B10412DFA0ACB3A0DE61AC01C794

Function 01208900 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

4'^q, xrefs: 01208931

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 3228f6b12c2ca6c04b29270c8f6aac1e5f91895dbeafc1cf8e988d8525fa5cd4
Instruction ID: e9a614fa36d2653ee38250159781be1d3f24421ef9d7a6dacc9ffbfa629e22dc
Opcode Fuzzy Hash: 3228f6b12c2ca6c04b29270c8f6aac1e5f91895dbeafc1cf8e988d8525fa5cd4
Instruction Fuzzy Hash: 3AF08C30A1130DEFCB44EFB8E64959DBFB1FB84201B1015A8E40597354EF305E49CB41

Function 0650D318 Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 219fed299a63ece5f29353d1a9f5f27767d8888f35afe529854372482dd3c9d2
Instruction ID: dad3590a73a841a210143b7784406f90cadd6890910d5ad1f278144462bf7dcd
Opcode Fuzzy Hash: 219fed299a63ece5f29353d1a9f5f27767d8888f35afe529854372482dd3c9d2
Instruction Fuzzy Hash: 18020735A002088FDB54DFA9C594AADBBF2FF89310F158569E805EB3A1DB31ED46CB50

Function 0650A47F Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99dda1c7cdf84a6a8b7174137d5d6721c85db2f0062bd4a54d733d6535b5d64d
Instruction ID: 00738428731b354a10b2b9be5399969940c2342805aadfdd2cd316905a28436e
Opcode Fuzzy Hash: 99dda1c7cdf84a6a8b7174137d5d6721c85db2f0062bd4a54d733d6535b5d64d
Instruction Fuzzy Hash: D8027F74A007458FEB55DF38C444B9ABBB1BF49304F158598D449AB392DB31ED85CF90

Function 06505720 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3cb6a4155de1694adbf484b85cd0818cb4c790bc40c452f7c6c17307df97afe
Instruction ID: 65788fca0dab2903ec17d1d2f9aa21dd0f4637728f2c7f5c075e05b769814b9f
Opcode Fuzzy Hash: b3cb6a4155de1694adbf484b85cd0818cb4c790bc40c452f7c6c17307df97afe
Instruction Fuzzy Hash: 9DE1BD34B002099FDB94EFB9D9546AE7BF2BF89210F148469E402EB395EF34DC058B90

Function 064DEBD6 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df9fe38e0c6aab5cc94bfc99adc3ecb2977852ca9c0a3ddbebec5faaea719061
Instruction ID: 2bae2c1e0ef5fb60546e29893ac895419f4bf92e0182ac806e3690c99437d047
Opcode Fuzzy Hash: df9fe38e0c6aab5cc94bfc99adc3ecb2977852ca9c0a3ddbebec5faaea719061
Instruction Fuzzy Hash: E5D16D35E002499FCB59DFA8D594AAEBFB2FF88310F054469E906AB361DB31EC45CB50

Function 064D1B97 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c46face317cc3cf48630340c6240a1bfb65973785b6dbfa95b1ef999d9eec5c
Instruction ID: 0ff5fae61bc5bafc827d7326eb8a123d22d617f67098e1e958aaca4f591f08e5
Opcode Fuzzy Hash: 6c46face317cc3cf48630340c6240a1bfb65973785b6dbfa95b1ef999d9eec5c
Instruction Fuzzy Hash: ABD13634E003098FDB59AF74D46866EBBF2BF85300F14956AE8469B3A1DF34E846CB50

Function 064D2292 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaac16de5714b1a7a4fa9210478ec3df31a8688ae2b195944d0bf68dcc6e5274
Instruction ID: 4ff538e4da767fd4bf646d4a984bfd7b9b6b01178169a00c5ff124e56031f43b
Opcode Fuzzy Hash: aaac16de5714b1a7a4fa9210478ec3df31a8688ae2b195944d0bf68dcc6e5274
Instruction Fuzzy Hash: 93D17930D1071ACFDB55DF28C494B9AFBB1BF84304F14869AD509AB251DB70EA86CF90

Function 0120440C Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f76691dc937e0828faa264b48633a4a2b41407404e6ed114a5d213bfbd0ec52
Instruction ID: 65af324d66ddcde89aa843b36315ef73267b4ea3f58c9a66a3b4105981d8703f
Opcode Fuzzy Hash: 2f76691dc937e0828faa264b48633a4a2b41407404e6ed114a5d213bfbd0ec52
Instruction Fuzzy Hash: 82B19F70E1024ACFDB15DFA8D8857DDBBF1BF48314F14C229DA18A72A5EB749845CB81

Function 012012CA Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aede63c7b567330c755f916a85306fb47dc2b5eabe9d127fac9de2a71aa7edd
Instruction ID: 44a0c56b0f33965c05d4504ef4fb92d286b2bcc7d433539f31425f4a4cd9195d
Opcode Fuzzy Hash: 3aede63c7b567330c755f916a85306fb47dc2b5eabe9d127fac9de2a71aa7edd
Instruction Fuzzy Hash: 25A1F22285E7E05FDB03AF3C98A05C53FB09F47214B0A05D7C480DF1A7D665998DC7AA

Function 01204CDC Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d184af346a751a2bceb68e42ebcac1a4273572f8416e52d75668f7695175ee4
Instruction ID: cbc2f94b9d96a15f8ea789e1a8e0bd9ca7c10a750a02d0f2520e4af825a86c47
Opcode Fuzzy Hash: 4d184af346a751a2bceb68e42ebcac1a4273572f8416e52d75668f7695175ee4
Instruction Fuzzy Hash: 75B16F70E1024ACFDB11DFA9C9857DDBBF1BF48314F148229EA14E7295EB749885CB81

Function 0649EED0 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec06654a29fb1fb89646d704ce5e3e92cc621fa3921471d6139db3275a285c54
Instruction ID: 8c684896c4f2f10bf24c47d5265a73bce40f894a8da91d6773518958c0b7f4bf
Opcode Fuzzy Hash: ec06654a29fb1fb89646d704ce5e3e92cc621fa3921471d6139db3275a285c54
Instruction Fuzzy Hash: 3CA1A2346407469FCB65EB39D5506ABBBF2FF89304B008A29D4468BB55DB31FC49CBA0

Function 064D0F7A Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a54fee56a35a986da726834c9959e2d3c4db553e2cbcf3860b756d3187cd2f
Instruction ID: a9ecc3dd74236c5907e62acb85283db02df26d5366c1e59fd1862946a3600ba1
Opcode Fuzzy Hash: 70a54fee56a35a986da726834c9959e2d3c4db553e2cbcf3860b756d3187cd2f
Instruction Fuzzy Hash: 2BB14C30E1165ACFDB55EF64D854BAEBBB2BF45300F10869AD849A7250DF30AE85CF90

Function 06502E10 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6811cb2562080c30b57cbbe405cff23a3a13e3ddd99297fbf498d6dff30414b1
Instruction ID: 5f051577fa669d9bd7a4ed1048dd0eb43835691b7a7c0627b6a93adf999c48b4
Opcode Fuzzy Hash: 6811cb2562080c30b57cbbe405cff23a3a13e3ddd99297fbf498d6dff30414b1
Instruction Fuzzy Hash: D581BC31E002099FCB44EF79C854AAF7FB6FF89250B10856AE909DB351DB30D9058BA0

Function 06490618 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e7cbf9c6b5113571bd7cf317cf37e069cebc2f4ac1f4875f9be02cd9204aa79
Instruction ID: d5513396506824ac9465ed093fafd2c03f2c1b5376274db5a00c790fb3b5c756
Opcode Fuzzy Hash: 9e7cbf9c6b5113571bd7cf317cf37e069cebc2f4ac1f4875f9be02cd9204aa79
Instruction Fuzzy Hash: DF917074B002058FCB55DF78D894AAE7BF2FF89210B14856AE91ADB355DB30EC01CBA0

Function 0650B090 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e43fecf36444e26e465138f5d01b84f7636020f1c18d02c88d38dfcf6e34ff82
Instruction ID: 5f736b669bb028fdd98d6c3de6bbb4e5ac3e17ba14f401997abc37888c040ae9
Opcode Fuzzy Hash: e43fecf36444e26e465138f5d01b84f7636020f1c18d02c88d38dfcf6e34ff82
Instruction Fuzzy Hash: 37718D347006119FDB48DF69C898E6ABBF6FF8961071580AAE505CB3B1DB32EC55CB90

Function 01200677 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119819f6659e9df0ce0c09e2bd14dfc73b8c41eb17db6d06d264f0ed0a74c1f4
Instruction ID: 536d58e9e9b824c804b15b69287ad70b1c93c1c923c1875b09d9c8c33935bb5a
Opcode Fuzzy Hash: 119819f6659e9df0ce0c09e2bd14dfc73b8c41eb17db6d06d264f0ed0a74c1f4
Instruction Fuzzy Hash: 6F81AE2146F7E05FD707AB3C98A04853FB0AE1322871A01D7D4C0CF0A7D65A999EC7AA

Function 064DB319 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dce3e1916e415259b0c80c8a8bcf73f7cc279930878e429a456fa5932ab6ff2a
Instruction ID: d2b22fbb1e3f4993e753ffdb9d7259f8c19ba1a45f664d077853ca76263c2544
Opcode Fuzzy Hash: dce3e1916e415259b0c80c8a8bcf73f7cc279930878e429a456fa5932ab6ff2a
Instruction Fuzzy Hash: E4913934A00608CFCB45DF68C894AAEBBF6FF88310F14855AE546AB360DB70ED45CB90

Function 0649F887 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23d2d4d1c1902109836b8da9515c2da29d482f0ac8341836c2459a6d43535ba
Instruction ID: 77a7b3b014fa39134dcf42ab3515ab803cba1c2d669c222e240dd449cef35c45
Opcode Fuzzy Hash: f23d2d4d1c1902109836b8da9515c2da29d482f0ac8341836c2459a6d43535ba
Instruction Fuzzy Hash: 52918F34754144CFDB99DF64C488BAB7FF1EB89328F24509AD482D7395DB348889CB61

Function 0649E480 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e84f89d88c6d6d35db548a14a33c4d1878020614336ac22464c04c0b93d65023
Instruction ID: 76f4ce4c2d49ea91d2fb66e598672014dcc278f34e0fa89ca6b7959e7fa592ca
Opcode Fuzzy Hash: e84f89d88c6d6d35db548a14a33c4d1878020614336ac22464c04c0b93d65023
Instruction Fuzzy Hash: 67610E31B402009FCB55AB79C914AAEBFE6EFC9310F54842AE5069B391DE35EC45CBA0

Function 064DF1E0 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9336acc843344f67c3a9b455de76083eab7d10d1c83fde1337f10d9add9c98cd
Instruction ID: c523f255a172eee3dac366011891aed05e075632228f5f6af6dde4cd727fdf26
Opcode Fuzzy Hash: 9336acc843344f67c3a9b455de76083eab7d10d1c83fde1337f10d9add9c98cd
Instruction Fuzzy Hash: 0C713834B002049FCB48DF69D49499EBBF6FF8831072581AAE81ADB375CA31EC42CB50

Function 0649CE38 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d20e98d2d63f8da922012e0ec7f387fcb49ce29be1c80fff5eb3646455a245
Instruction ID: 90bce7455ffab0d58bec564693833ab2d3078dcf10c80002738567d6912ddbd9
Opcode Fuzzy Hash: 18d20e98d2d63f8da922012e0ec7f387fcb49ce29be1c80fff5eb3646455a245
Instruction Fuzzy Hash: A561E430E402059FCB05DB78D858AAE7FB5EF85304F0485AAE845DB396DB31DD05CBA1

Function 0649F858 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dabe97065b78f68babb4286f5d999c293ce47e053b4c7313e9c41d0b4a06f6fc
Instruction ID: 89f92d7e37d603a6ea117b437308405458e00d5a8f3dc83a94c42460e568bb2c
Opcode Fuzzy Hash: dabe97065b78f68babb4286f5d999c293ce47e053b4c7313e9c41d0b4a06f6fc
Instruction Fuzzy Hash: 95817D34B54244CFDB99CF64C488BAB3FB1EB8D318F245099D482DB395DB348889CB60

Function 0649F898 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf1dd04681e5a729a2c3a20da886fdd2e4d86278eb10e55c837d5f1b0b8ca20
Instruction ID: b0342a9542ea51c4f07be712210bc603de03c3591846436828d5a454af22e5ff
Opcode Fuzzy Hash: eaf1dd04681e5a729a2c3a20da886fdd2e4d86278eb10e55c837d5f1b0b8ca20
Instruction Fuzzy Hash: 2B817A35B50244CFDB99DF64C498BAB7FF1AB8D318F24509AD482E7394DB349889CB60

Function 064DFD33 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b700a1e25c97e58697c069843d9cd1906c6fc9e34b9bd71a36ac0d0a42cf25
Instruction ID: f85bf170fb979696ba423ffb683497cc61e5ad3987a124f112c6ce476e057057
Opcode Fuzzy Hash: 85b700a1e25c97e58697c069843d9cd1906c6fc9e34b9bd71a36ac0d0a42cf25
Instruction Fuzzy Hash: BB714A34B002158FDB55DF69C894AAEBBF6FF88314F14806AE90697361CB34DC46CBA1

Function 064DDB2E Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b569a49a1b79b67e5b64c4ba5d8fbeafdb43bc9f3414145fe44782bc509f98ba
Instruction ID: b8263b0a434a62e342493560cd209ca6d4ad45ebcc4f1650f306697f3cfd5958
Opcode Fuzzy Hash: b569a49a1b79b67e5b64c4ba5d8fbeafdb43bc9f3414145fe44782bc509f98ba
Instruction Fuzzy Hash: 43812D34E10209CFDB69EFB4C458AADBBB2FF49305F10856AD416AB361EB709985CF40

Function 0650C7D7 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9539d5b5858135c646f0aca94e777bf61f9f9ceb6667048a2e69b10762f277c9
Instruction ID: db1085830f271aa9b27aa4b4b17640c899cd7d46c688450530f564ff48fc6d8b
Opcode Fuzzy Hash: 9539d5b5858135c646f0aca94e777bf61f9f9ceb6667048a2e69b10762f277c9
Instruction Fuzzy Hash: 2B61CF34A002059FDB54DF79C884AAEBBB2FF85310F008A69D9159B3A5DB70ED45CBD0

Function 0649E411 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc350e89171a3030fab45a02557599943a4a5ab029e63232f0cbf7490a12ef73
Instruction ID: 88228da6293c1b986df44d3c06bbfdff6237fa645a6c1a8cb465ce13ebc0be5e
Opcode Fuzzy Hash: cc350e89171a3030fab45a02557599943a4a5ab029e63232f0cbf7490a12ef73
Instruction Fuzzy Hash: 4E5103307443409FCB56AB39D914AAE7FA6EFC5310B5484AAE409CB3A2DE35DD09C7A1

Function 064DFD40 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7638b0013c8d63f2541192ff6bdca91e87b1ba663a98cc81fb8d97a97c4821d2
Instruction ID: f415d3bcb9b77ffafb8ca15e77e0e2c54be063b1f890a15a6b292ea2a0d4dd7a
Opcode Fuzzy Hash: 7638b0013c8d63f2541192ff6bdca91e87b1ba663a98cc81fb8d97a97c4821d2
Instruction Fuzzy Hash: 5A613B34B002198FDB54DFA9C894AAEBBF6FF88315F148069E90697361CB35DC46CB90

Function 064D2920 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db9aa30f7c81ec81a2a685df511944b793a291d9076da96de1be3996ff33a2a1
Instruction ID: d5b63d8d0dce591ea02e91c5010acbe1cb0845585aedb5a480144853b3e98949
Opcode Fuzzy Hash: db9aa30f7c81ec81a2a685df511944b793a291d9076da96de1be3996ff33a2a1
Instruction Fuzzy Hash: 56511131F002159FCB65AB78E8686AFBBB6FF85310B0085AAE505DB344DB71DD0987A1

Function 06503CEF Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 154efd61ecc285cf64f4eb41c82a3b80216d8c0332b8983846ca5a3f341e2c65
Instruction ID: bb74d7dc2ae28f6798134796992352ba6f95549cb8adcea0d47ad3eb4ca79dad
Opcode Fuzzy Hash: 154efd61ecc285cf64f4eb41c82a3b80216d8c0332b8983846ca5a3f341e2c65
Instruction Fuzzy Hash: 55510436A0060AEFDB84CF99D884A99BBF2FF89320F158569E5059B361D730EC84CF50

Function 06490448 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce489cc37645b7a4802ca5989edd82c9cb2fbb2ad0e97b4e81677d2abd56e1b
Instruction ID: 6b84d343b424ed948d305c230ebe3c0750c26978287833a82384bae777687911
Opcode Fuzzy Hash: 4ce489cc37645b7a4802ca5989edd82c9cb2fbb2ad0e97b4e81677d2abd56e1b
Instruction Fuzzy Hash: 05518B35B002058FCB19DF69D8A496BBBF6EFC8250714846DE94AD7355EB31EC01CBA1

Function 06491028 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d8d773b634ed2bab1a596874b7deecbe39cd67dbba7800b47409e4e9d142598
Instruction ID: 206629236fa7f08e3c36b176601d33dbcce94e30eb7514c52f0b8279209d0cce
Opcode Fuzzy Hash: 3d8d773b634ed2bab1a596874b7deecbe39cd67dbba7800b47409e4e9d142598
Instruction Fuzzy Hash: 2651DE357407018FC759EF39D59892ABFE2FF89210B14856AE54ACB365DB30EC09CB50

Function 06491608 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f74d4af243d782507d12b3e59d6347cebae3700b39a8bcf4e9ba41207cdd6e1
Instruction ID: 840c404e8d8bcee9fc06a7ff93bbb355a2169f386a8b555f9fdddfd86f504794
Opcode Fuzzy Hash: 2f74d4af243d782507d12b3e59d6347cebae3700b39a8bcf4e9ba41207cdd6e1
Instruction Fuzzy Hash: 8841DB357442538FCB996B38D45833EBFD2ABD8250F1885BAE51ACB381DF348C4587A1

Function 0120CF88 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79eaec69ca9e3c8683689a31998c635af3ea9c688b566428ee59d50a73e9de6
Instruction ID: fe27ff016af03836922946889c7762914a0f1d2b360806867aa115b789897f20
Opcode Fuzzy Hash: f79eaec69ca9e3c8683689a31998c635af3ea9c688b566428ee59d50a73e9de6
Instruction Fuzzy Hash: CC41E234604358ABCB15AFB9EC19A5B7FA6EBC6360F20926AF919873D1CF318801C750

Function 064DF2B1 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d91528f0aff9866a8f79c5e037a875462830133439b8d3210a44546ae5e09ebc
Instruction ID: c7577b5ba4fca400a22baa4502de1e157b0fd5050062a72b2ac61024b6ae381e
Opcode Fuzzy Hash: d91528f0aff9866a8f79c5e037a875462830133439b8d3210a44546ae5e09ebc
Instruction Fuzzy Hash: F251F734A01109AFCB54DF69D99499EFBF2BF88310B25855AE8159B375CB31EC41CB50

Function 01208138 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71d2980f76ff08051879d62fed195b1716d07f0459d035589b3ced4d44276629
Instruction ID: e0a8c787390da4284766cbb5afd26f25fbef82cf07044a21c6c764105b21fed9
Opcode Fuzzy Hash: 71d2980f76ff08051879d62fed195b1716d07f0459d035589b3ced4d44276629
Instruction Fuzzy Hash: 6941F334B105088FCB14BBB8E95816EBBB2FFCA314B545628E423973D5EF349949C792

Function 064DF2C0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa166b60dbc3dc234755c81d864582de07a974d49c72ca12416f5d71e7005b69
Instruction ID: 905e7ffb46f88ff2aeafecb55ad6ab36bae335688c93a38bb2cd9a0c508d04f3
Opcode Fuzzy Hash: aa166b60dbc3dc234755c81d864582de07a974d49c72ca12416f5d71e7005b69
Instruction Fuzzy Hash: D751E438A01209DFCB58DF69D59489DFBF2BF88310B25816AE816AB375CB30EC41CB50

Function 064D9063 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd6c8cebc2ae0604531b303a1b598dd159d8eee3bbddec42acc905418ab04f65
Instruction ID: f0c7f25580ee44c711b808464640fc58553ee5dea07e0c01053e5ec0959dc476
Opcode Fuzzy Hash: bd6c8cebc2ae0604531b303a1b598dd159d8eee3bbddec42acc905418ab04f65
Instruction Fuzzy Hash: 6551B030E10218CFDB55DFA8D894A9EBBB6FF89314F24856ED505AB391DB31AC45CB80

Function 012064D8 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 716c4f83fd834ec09f55b0d7f4c3a870184a1b5bcfe8ff5dee0bb1579d2bd455
Instruction ID: c5c32e1161dd435b04589a2cbcfd1aaade9bbcd1e043f656cff2b573b7e33fe2
Opcode Fuzzy Hash: 716c4f83fd834ec09f55b0d7f4c3a870184a1b5bcfe8ff5dee0bb1579d2bd455
Instruction Fuzzy Hash: F8416D34B102048FCB49EB78D89466EBBF6FBC8310B548569E905D7399EF719C41CB91

Function 0120AE00 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e29063b47c969072bc0faa59b56b8ebbccbad9fdfa551d66d72b160b16f5b14
Instruction ID: 0016d2b19d70c89d0c74c8d4ac730abe12d5cb92317af272378180eb1740d55b
Opcode Fuzzy Hash: 1e29063b47c969072bc0faa59b56b8ebbccbad9fdfa551d66d72b160b16f5b14
Instruction Fuzzy Hash: 3D417C30A003468FDB16DB68D484AAEFBB2FB84314F49C269D6199B392D770EC45CB91

Function 01208148 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352529aeb7b4fc5980250c801be4e92bb83f719aeda47ac305aa082a8c3290b1
Instruction ID: ce97d8817d55ed10012d149f29543aae2e02fe6b6bdaa725cc0c56d5f4f84fb1
Opcode Fuzzy Hash: 352529aeb7b4fc5980250c801be4e92bb83f719aeda47ac305aa082a8c3290b1
Instruction Fuzzy Hash: EA41B134B205088FCB14BBB8E55806EBBB6FFCA314B505628E463973D5DF349949C792

Function 0649C138 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3019a02a31f5319f423c3f6a7b4193ad1ee9f65eb6dd54ed87c3373bdd614de
Instruction ID: a364b9458940203fed29c1f0c6414806172f5dfe3e9a0dc0fe25457887b64465
Opcode Fuzzy Hash: b3019a02a31f5319f423c3f6a7b4193ad1ee9f65eb6dd54ed87c3373bdd614de
Instruction Fuzzy Hash: 9341AE343402069FCB15DF28D894AAEBFE6FFC9310B108529E55ACB365DB70EC458B90

Function 0120C888 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6277617fe78202b3866c7e44e5d4394c86c4358c2a4925a22842c5b781ebca
Instruction ID: 653d06fd6a53f6feaca06d18c8c9d822f9124893ca827fe6e1ac302c31516195
Opcode Fuzzy Hash: 0b6277617fe78202b3866c7e44e5d4394c86c4358c2a4925a22842c5b781ebca
Instruction Fuzzy Hash: 8441DB386143599FDB09BBB8E81966B3FB6FB86310B2456AAE505C7381EF358C11C790

Function 0649B6E8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2073e2488f7640ad81c6b447594a9fba21784a7f914ed5eacc28d8a11c82972a
Instruction ID: f1e85aa3a359dad5e2aec49b8682062e4a1a46380a4d5183c03f0998ae03c30f
Opcode Fuzzy Hash: 2073e2488f7640ad81c6b447594a9fba21784a7f914ed5eacc28d8a11c82972a
Instruction Fuzzy Hash: B141AD35A002148FDB19AF68D4985AFBFF6EF88320B1042A9E902E7350DA35CC41CBA0

Function 0649EEC0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38194503fe70837e153935f1eaef8a578278d73928443a557d35d0856e95f219
Instruction ID: d5328bf1fe5daeb30ab8b03c4aa3f4281877e96ab6aea8d6a66246ceb1be4ee1
Opcode Fuzzy Hash: 38194503fe70837e153935f1eaef8a578278d73928443a557d35d0856e95f219
Instruction Fuzzy Hash: B7418030240B469FCB61DB25D640A96FBF1FF45204B049A29D0864BB26D730F999CBA1

Function 0649CCB8 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50845544f68b73c8acfba620f5cf16f7eb50db001919c638a5a61e7d6fcf1996
Instruction ID: 19209abd2c786611b2a0f51550fc37483a4838763cfd631d9b1a0af95f36b1dc
Opcode Fuzzy Hash: 50845544f68b73c8acfba620f5cf16f7eb50db001919c638a5a61e7d6fcf1996
Instruction Fuzzy Hash: 55415975A002059FCB04DF68D884AAFBBF6FF8C300F148866E505A73A5DB719D45CBA0

Function 064DB7C0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f97d0ff413843f0843ef8306070cd4af1414a9e73e8087806809806e9146214
Instruction ID: 8f91ec6833c9f107d7051b65cca23e85a3d46da68fc2b80a0083f614534832b9
Opcode Fuzzy Hash: 2f97d0ff413843f0843ef8306070cd4af1414a9e73e8087806809806e9146214
Instruction Fuzzy Hash: 0F41AF70E0060ADFDB54EF69C595AAEBBB5FF48300F00852AE846A7254EF70E945CB91

Function 0650F680 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 718d386ee72208facca9a4d3636eedc9d322761c60e04b0422e7f69b414c4d95
Instruction ID: 6f9ce798c8ba956961161dfb0a16f5518bb8827224e972afb1bb113cb1ab2341
Opcode Fuzzy Hash: 718d386ee72208facca9a4d3636eedc9d322761c60e04b0422e7f69b414c4d95
Instruction Fuzzy Hash: 06410231B006159FD765DF29D884AAFBBBAFF89310B14452AE919C7391CB30EC01CBA1

Function 064D905B Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32fa2522ce160d6d59851cbbb2b1cd06ed58fe103b5107250849e2eebfaa554d
Instruction ID: 81634cfe444afe9f90e0dbbc6d05795436df26ff8dce333ace3dff17680844e3
Opcode Fuzzy Hash: 32fa2522ce160d6d59851cbbb2b1cd06ed58fe103b5107250849e2eebfaa554d
Instruction Fuzzy Hash: 1F41BE35E00208CFDB54DFA8D894AAEBBB6FF88314F24856AD405AB351D731AD45CB80

Function 064DA620 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334d560a0c1e723612fe8df68ab21e73d72a08c1da96baa2c84da61e095de46c
Instruction ID: 07b331ed5813446ada8351a4392835788819bb01c8d31a8f5c8d6d72e6649fab
Opcode Fuzzy Hash: 334d560a0c1e723612fe8df68ab21e73d72a08c1da96baa2c84da61e095de46c
Instruction Fuzzy Hash: E5411974A01204DFC714CF69D59499EBBB2FF88314F248459E805AB365CB35EC85CB90

Function 064903DF Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df45e750f6715728149d4a988b086cd9f09ba6658cb973250f4feaefbb0c6c6a
Instruction ID: e7316e7945f616ecb9f6d36153632c45e55f108f085ca850e05181cd6665168e
Opcode Fuzzy Hash: df45e750f6715728149d4a988b086cd9f09ba6658cb973250f4feaefbb0c6c6a
Instruction Fuzzy Hash: 3631C1206593905FDB029B7888A05ABBFB5DF8725070A409BE880CB3A7DA24DD09C7B1

Function 0120FCC8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61967cc0c6e8610060cc97035dc5ae60ca269894e82955d368e73f965f31f0ec
Instruction ID: 8d1fbf27ae02168f0e816d4cad340a0d7e89dfa1015ca4a5518f3f3516f107fe
Opcode Fuzzy Hash: 61967cc0c6e8610060cc97035dc5ae60ca269894e82955d368e73f965f31f0ec
Instruction Fuzzy Hash: D0310A35B9020A9FDB25EBB8D9147AF7FB2EF80300F408065E501EB386EB749D058B91

Function 064DC571 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f91815c2ec66113c43edfd907817fca57b514c75370eedaf71b8ad32584c05
Instruction ID: 962a6d444e396c78aead8580afb1efd272ae6d9d45a672b84be241bf5f6e774f
Opcode Fuzzy Hash: b7f91815c2ec66113c43edfd907817fca57b514c75370eedaf71b8ad32584c05
Instruction Fuzzy Hash: E041D531E002698FCB55DF79CA64AEEBBF9EF49200F14516AD805BB350DB319D40CBA0

Function 064D9057 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f865420c5b83a54ab392ba57a8e616fc0db0501965d09c347723346575054ef1
Instruction ID: f5a37a4d06447f5f7633592a98086e0dce898e6a3fe376cdc061ca3152b03ed7
Opcode Fuzzy Hash: f865420c5b83a54ab392ba57a8e616fc0db0501965d09c347723346575054ef1
Instruction Fuzzy Hash: E3417035E00218CFDB55DFA8C994AADBBB2FF49314F24856ED405AB391DB31AD46CB80

Function 0649E6F7 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30f13c552753db163178de5cd68e73784588cc956978906d47c5f1db6735ab3
Instruction ID: 96ae991da2ad3aa9bc388278c0bc0584d706f80a7585e06201527b9411a8bc80
Opcode Fuzzy Hash: d30f13c552753db163178de5cd68e73784588cc956978906d47c5f1db6735ab3
Instruction Fuzzy Hash: 0241C3306006429FCB4ADF75D98496ABFB2FF85300B0486A9D9068B75ADB30EC55CBE1

Function 064DA630 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 978ad916f75129e4f47c37bfb54be99b38e464414ce7a787477310e3a5fbdce2
Instruction ID: 4178f136b72742059bb7791675e0b6cac0c398767b5e51a214cece33fd150550
Opcode Fuzzy Hash: 978ad916f75129e4f47c37bfb54be99b38e464414ce7a787477310e3a5fbdce2
Instruction Fuzzy Hash: A341E634A01204DFCB14CF68D59499EBBF2FF88314F258469E815AB365CB75EC85CB90

Function 0649A088 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3a77a7d6d9bedf280262e3d92e7ea46f7c26d4f1584490af5b0122dfaf8a63
Instruction ID: b54c56c92de9cc890f32c51f13d9e97fcfcc307c9979fefa5109b0764667aad8
Opcode Fuzzy Hash: da3a77a7d6d9bedf280262e3d92e7ea46f7c26d4f1584490af5b0122dfaf8a63
Instruction Fuzzy Hash: 01310439B502154FCB49AB7C9898A7F7FF6EBC9340B10406AE906DB396DE30CC4587A1

Function 012008C8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc0d15e1925cbad033f20f9144c3edaa96b704a226573bdf7634698e8837ab7a
Instruction ID: 975753704836757690cbf5c2491676048331818d9dbecf242d904d98d134e443
Opcode Fuzzy Hash: bc0d15e1925cbad033f20f9144c3edaa96b704a226573bdf7634698e8837ab7a
Instruction Fuzzy Hash: 2F310530B0020A8BEB19EF79C55436EBBE2AF84740B144129E516C7395EF30CC41CB55

Function 0120D320 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 189fca17a8aa58ab6070a70836b4c9fafa8b11334720b5fe229cf833b1d27d6e
Instruction ID: 3b097b2cee8c5c225cf65c0d96dd3034ea6036a4abdc9d5f2c0c3b3e4f9ba483
Opcode Fuzzy Hash: 189fca17a8aa58ab6070a70836b4c9fafa8b11334720b5fe229cf833b1d27d6e
Instruction Fuzzy Hash: 4F312A347102088FD719DFA8C4A9AAE7FF6EF88300F145468E6069B3A5DF769C41CB50

Function 0120292C Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3745ae4680f1f6cc1e8fbccad8119574695fc8c78199dc45dab6d8679ce105b6
Instruction ID: 111e6476de600728b11a43ccf774efa311bec10474152c418732877c963c42ae
Opcode Fuzzy Hash: 3745ae4680f1f6cc1e8fbccad8119574695fc8c78199dc45dab6d8679ce105b6
Instruction Fuzzy Hash: 0D41F2B0D10349DFCB10DFA9C884ADEBFB5EF48314F10812AE809AB254DB75A949CB90

Function 064DE12A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e37bd8e28d115f9bd453908178ca58d09e394e17ef8da7e0745320ddc37deb80
Instruction ID: 6d432d35221e70f2b73a1f4b6af19c38e15c6b88beacc9e1667ef171b2b15f0c
Opcode Fuzzy Hash: e37bd8e28d115f9bd453908178ca58d09e394e17ef8da7e0745320ddc37deb80
Instruction Fuzzy Hash: 3A315034E10609DFCB04EFA4D858A9EBFB6FF85310F144569E506AB360EF70A946CB91

Function 064DB967 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa7bd1e2ffe2f4dbdff0c0dca63bf3fb9a0f1865cd0137e990ce3e0605bf561
Instruction ID: 4a9e0d6c5c1df9077041b4474c885efded3113b5c976b0811a14a0c10479907a
Opcode Fuzzy Hash: 2fa7bd1e2ffe2f4dbdff0c0dca63bf3fb9a0f1865cd0137e990ce3e0605bf561
Instruction Fuzzy Hash: C231A275E006189FCB40DFA4D8949EEBF76EF84350F15802AE906A7354DB309946CBE0

Function 0120D960 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46df7910a7e67819196a0350972669a188a5b34ea6ac5e3251624db5e96a0824
Instruction ID: abf05b92c143366154ef1d983666f029a170d03b6fa5917161c0cc7ccaaee207
Opcode Fuzzy Hash: 46df7910a7e67819196a0350972669a188a5b34ea6ac5e3251624db5e96a0824
Instruction Fuzzy Hash: 50310731E1072ACBCB15AFB8D4512EBBBB0FF85310F10962AD555A7281EF75A985CBC0

Function 0649BEF1 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3e711be9a651a3dc25fe4a9ec947e7445a2a82ff491911695ec78e27861eeb
Instruction ID: 9bf1a055d369e18b422317658d5246d6fdd840843d9f1c77cf94c585a2378b22
Opcode Fuzzy Hash: 8d3e711be9a651a3dc25fe4a9ec947e7445a2a82ff491911695ec78e27861eeb
Instruction Fuzzy Hash: 33316D35A402098FDB14DFA8D484BEFBBF6EF89314F145066E411AB365CB309C85CBA0

Function 064D48CC Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6c46d54da797f96f8d727e7383cd3cc8b7af9874f29ccd87d18f360627f41a
Instruction ID: 7e9d0d1cf1fbb6aec3c5ecc305673e952a0089603ac85c2b6a2519d7ae039f71
Opcode Fuzzy Hash: ba6c46d54da797f96f8d727e7383cd3cc8b7af9874f29ccd87d18f360627f41a
Instruction Fuzzy Hash: BE312035715769CFCB5A2B30A42D02E7FA6AB4970230078AAF903C7391DE7A8945CB55

Function 064D61A0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0617424c7893dee0ff021ec0d02769fe07043d591665ff4687ded60d562a1d76
Instruction ID: 9c089f81bb622ee4d7750d9e34136ffa810216ef099ebd0d2a41a4f5aae14f3c
Opcode Fuzzy Hash: 0617424c7893dee0ff021ec0d02769fe07043d591665ff4687ded60d562a1d76
Instruction Fuzzy Hash: 5531DF30B116189FC759EB74D824A6E7BB6FF8A200F4044AEE406CB390DF31ED058B80

Function 064D8848 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61f815dcfb5591e303d225b37652654bc21b324dc03fc8f5819ebcc01fe9edb
Instruction ID: 36c0be52ddf8b11ba1c5df82ad538f0516a04ba951f41fbfa17eecaf6c29af41
Opcode Fuzzy Hash: b61f815dcfb5591e303d225b37652654bc21b324dc03fc8f5819ebcc01fe9edb
Instruction Fuzzy Hash: 7F313634F0021A8FCB54DF68D99096AB7F2FF88310B258556E845AB329D730FD46CBA1

Function 01202938 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a395702df54f86573776801e61d0e47f7a7c208c4d143fb87943cd8244a38a
Instruction ID: 4d6dbad0889a9f590b8633959b9c5d47366738c30607e51ccc2b678f8a55c15c
Opcode Fuzzy Hash: 88a395702df54f86573776801e61d0e47f7a7c208c4d143fb87943cd8244a38a
Instruction Fuzzy Hash: 8A41E0B0D0034DDFDB10DF99C584ADEBFF5AF48314F20812AE809AB254DB75A989CB90

Function 0649AB07 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd81c7f0d794a21ae5a12bcbb6205243860433004077e032b8ce8c4360118460
Instruction ID: a4a0ddd2626235f653b87ea90d46062dc08469abb1395993572dd89e4d519b10
Opcode Fuzzy Hash: dd81c7f0d794a21ae5a12bcbb6205243860433004077e032b8ce8c4360118460
Instruction Fuzzy Hash: BA3170347406058FCB559F29D49462ABBA7EFC8311718857AA946CB754DF30EC82CBA0

Function 0649AB18 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2f28fdef3e360cf7b4a8b0ec89f0485c19adbfb0ef702e4a90bdbfed8d0388
Instruction ID: 1344bb328ebb9f52e244d00c400f5f1f3aa247492b593af489119fb487638405
Opcode Fuzzy Hash: 9f2f28fdef3e360cf7b4a8b0ec89f0485c19adbfb0ef702e4a90bdbfed8d0388
Instruction Fuzzy Hash: 03314F347406058FCB559F29D894A2BBBE7EFC8251714893AA946CB354DF70EC82CBA0

Function 065066F8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165b04e5aaef0f45785b004cf0b75d5d30ccc03c61e7605e1e8e4930681e1154
Instruction ID: 2b243fa5fe6db792a8bff6f75d2117c2a3527b4eb06cffe2c1f2773d324e3745
Opcode Fuzzy Hash: 165b04e5aaef0f45785b004cf0b75d5d30ccc03c61e7605e1e8e4930681e1154
Instruction Fuzzy Hash: C53193342007008FCB69DF25D544A6EFBF2FF84310B058A6AE1568B7A5CB70E98D8BD1

Function 0120D310 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a2c30802c9676fe451aa2d0b9718a931eb7ffdafd3d0b49d69b54b21e051ae
Instruction ID: ce2e99e24440a5576878c4a58719022b56ecdde61e13a8fa5f65839e0bf060ba
Opcode Fuzzy Hash: b5a2c30802c9676fe451aa2d0b9718a931eb7ffdafd3d0b49d69b54b21e051ae
Instruction Fuzzy Hash: AA315E357112098FD719DFA8C5997AA7FB2EF48300F1454A8E606AB3A5DF71AC41CF50

Function 01206664 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51864f93d3ef09f29dc99adae7b4d88590758183cddacc3dcf41983d8771ad5f
Instruction ID: 121e29b19b332c0d566199a9ea0bdb7ac0b154f8a65d21654ffa7c1c562337c6
Opcode Fuzzy Hash: 51864f93d3ef09f29dc99adae7b4d88590758183cddacc3dcf41983d8771ad5f
Instruction Fuzzy Hash: E7318F38B101048FC749EB68E49466EBBF7FBC8311B609565E906E7398DF71AC42CB91

Function 064D8838 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8644cd2c13f735f1c0ada53c5f83ce83275926df86961e8ad11660556cda5161
Instruction ID: 43ac49eb68eea6abbbb11edfc2f6b37e81b0e27b2c39621e1591db18219a227b
Opcode Fuzzy Hash: 8644cd2c13f735f1c0ada53c5f83ce83275926df86961e8ad11660556cda5161
Instruction Fuzzy Hash: D2312D74E1020ACFCB11CF68D9909AAB7B1FF883107258196E985AF325D730FD56CBA1

Function 012008B8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84fef2b833805ce9c6b4414c66f8e736aad740f2586c1b7b780ea2f719bc597
Instruction ID: 629bcf15a72567f68cf9a0e96268e0d6ae2b482bef8a0d6dafee8ad0bf5d1b6b
Opcode Fuzzy Hash: a84fef2b833805ce9c6b4414c66f8e736aad740f2586c1b7b780ea2f719bc597
Instruction Fuzzy Hash: 8B31C430B102068FFB6ADF79D44476EBBF2AF84750F148229E516C7295EB30C841CB96

Function 06491C70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1429741e13eb9418bd2ed59355e3235aefd30e8b04bd5beea75ff7d607fef737
Instruction ID: 1c165f0571f40272ecd0a1693dbb3d0b64ed3d0c19bb54fccbd6a96eeaf8303c
Opcode Fuzzy Hash: 1429741e13eb9418bd2ed59355e3235aefd30e8b04bd5beea75ff7d607fef737
Instruction Fuzzy Hash: 68319131B5020A8FCB45EF29D99496FBBF2FF85204B504629E406DB369DB30ED45CBA1

Function 064DB978 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea24d97c198fb5bf0076d8b29d43bf6813d1f42abac15b70270727d2b664f389
Instruction ID: 86fbebdafa7bc6302754633abc33ff87e8d0903f995f47a720ef5ca09d35e60f
Opcode Fuzzy Hash: ea24d97c198fb5bf0076d8b29d43bf6813d1f42abac15b70270727d2b664f389
Instruction Fuzzy Hash: BE316171E002089FCB40DFA4D8949AEBB76EF89310F15856AE906A7354DB30AD46CB90

Function 0649B15A Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5481c3a735daef5240c40a601dfa0329175301cc6488ff8e9cac7232263f7035
Instruction ID: 84eaf12e585efc4c184ff0f2a270fa9bf8f439378949c85f248a6989fe231f9c
Opcode Fuzzy Hash: 5481c3a735daef5240c40a601dfa0329175301cc6488ff8e9cac7232263f7035
Instruction Fuzzy Hash: D0318F74A00209DFCF05DF64D5848AEBBB2FF89304714819AD905AB365D731ED46CFA0

Function 06491C60 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 441a763dec70080c8b8b8f47c233372efd4a50e6c905d3f54013eccc29cfc6d7
Instruction ID: ccf9acd8813eb20ad2a923a2f7ae94404354a34cdd19408495c7a36dcae2cd6e
Opcode Fuzzy Hash: 441a763dec70080c8b8b8f47c233372efd4a50e6c905d3f54013eccc29cfc6d7
Instruction Fuzzy Hash: A931C131B402068FDF45EB29D99066FBBF1FB85204B40462AE4069B355EB30ED45CBA1

Function 064DFA08 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854eca8f2ab723d6e1278f2a3c7d24818da3338d800b763ce1d3dfde7e01cc0f
Instruction ID: af98cf299fb71ac9b3341cd28ee22406638bceda03287717f18daef1c3843b1b
Opcode Fuzzy Hash: 854eca8f2ab723d6e1278f2a3c7d24818da3338d800b763ce1d3dfde7e01cc0f
Instruction Fuzzy Hash: EF21E731F013168FCB96EB68D9905AFBBB1FF84200B00865BE4169B355EB70DD49C791

Function 064D6E08 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8adf79f7fafeb3f8776066aad15440ac9e5eeb4c8895f5192bdd2868bf7a63df
Instruction ID: 511b1fb2a1425015bfd66f98b79c23efd5c5f8da0489156370deaa923a83dfef
Opcode Fuzzy Hash: 8adf79f7fafeb3f8776066aad15440ac9e5eeb4c8895f5192bdd2868bf7a63df
Instruction Fuzzy Hash: 3221F331B113189FCB05AB79E8509BE7B7AFFC6224B148A2AE40597390DE355C46C7E1

Function 064DFA18 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b54472fb5e174658dda7b67552d6d9b16659de87d9b7a0882ba62ac18259907
Instruction ID: 44afb478fc1f1f097e0e304cabacf7cbb0ee59f41c7204719fc7e2d41c57df1c
Opcode Fuzzy Hash: 9b54472fb5e174658dda7b67552d6d9b16659de87d9b7a0882ba62ac18259907
Instruction Fuzzy Hash: 3021B131F002098FCB95EF69D89096BB7B1FFC8204B00826AE4169B355EF70ED49CB91

Function 0649CE29 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940e44166d78715027ebaf941e30b9ad0018780775772a3c5d554a743d6e0b14
Instruction ID: 60583fe21505ee6b4cb01814a3b52b08b87732bfae47be63462bee157f3ff112
Opcode Fuzzy Hash: 940e44166d78715027ebaf941e30b9ad0018780775772a3c5d554a743d6e0b14
Instruction Fuzzy Hash: AC21F230B002059FCB05CB28D888A6BBFF6EFC5304B14846AE44ACB352DB31ED46CB61

Function 064DC2F8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 756077fc2377e54e1b0bb4cc74e43f8387cf0bca52b7dbc4566821c0a671f7d2
Instruction ID: ea9677a372f4c12b42ee3015391536fddfc7647e87fbde1a14dcb14a3a4428c8
Opcode Fuzzy Hash: 756077fc2377e54e1b0bb4cc74e43f8387cf0bca52b7dbc4566821c0a671f7d2
Instruction Fuzzy Hash: 8A216B31E45244AFCF529BA89CA0A9A3F29EF42360F148217F924CE6E1D731C460C791

Function 0120D9A0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7a948c488052e7e70fba6b38ec5a61d75cd9a953eacab181b3f87644b98f68
Instruction ID: 4e56d1f244409644c0d02e3af55be3045d06dd0000cbb95c30f655d18bb9c344
Opcode Fuzzy Hash: 3c7a948c488052e7e70fba6b38ec5a61d75cd9a953eacab181b3f87644b98f68
Instruction Fuzzy Hash: 59319531E1061ACBCB15AFB9D4541ABFBB5FF84310B10962AD556A3381EF71A985CB80

Function 011AD6A8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1714997509.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11ad000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 795ae0f348eb8b26a5b30e53f0bb66c8666e76a6572b5707cf900005861c42c9
Instruction ID: bceae81a75b8baaa96b239dcddb5a90f3b1facf93f7ca027da4b1ecc4ee5697d
Opcode Fuzzy Hash: 795ae0f348eb8b26a5b30e53f0bb66c8666e76a6572b5707cf900005861c42c9
Instruction Fuzzy Hash: FF210879500A80DFCF0EDF94E9C0B26BF65FB88318F648169ED094B656C336D455CBA2

Function 064D72AE Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ee5c1d9e0619faab702c588084da26a9b38271f8050b69045d8ed2edb2c8bd
Instruction ID: 2ab3cdf6cae5e48268a0a0571d4ada89002863aa7434957a023ab1e1d053517d
Opcode Fuzzy Hash: a7ee5c1d9e0619faab702c588084da26a9b38271f8050b69045d8ed2edb2c8bd
Instruction Fuzzy Hash: F0213970E002599FDB14CBE5C994AEEBBF5EF89300F14806AE805EB358DA759D45CBA0

Function 064D7EB0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe9c8a55f7b5ac858888f5d8a99789f3941a42ace0a5822e2c14817b7e291c84
Instruction ID: 2021db0ad127bd9bf8aa90ca54c5a2658e7dc90006290148464f362820d6a655
Opcode Fuzzy Hash: fe9c8a55f7b5ac858888f5d8a99789f3941a42ace0a5822e2c14817b7e291c84
Instruction Fuzzy Hash: 0A215E34F001158F8B64CB99D8D09AAB7F6EB88244B24856AE909DB315E731EC06CBA0

Function 0649B168 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22fdeefe91781cbc917401327f0dbf2627f654301957ccc22b2760b2079891ae
Instruction ID: f79846e5c9174c9a51e7c8769719624b60c019d18e634ed5042eeb3df0bc01c7
Opcode Fuzzy Hash: 22fdeefe91781cbc917401327f0dbf2627f654301957ccc22b2760b2079891ae
Instruction Fuzzy Hash: 78315E74A00209DFCF44DF68D5848AEBBB6FF89314B208199D9059B365DB31ED46CFA0

Function 011AD45C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1714997509.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11ad000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d8ca1ac9da35dd95607f88c7e6660f3f1569a30e293227282b5659b96e3f828
Instruction ID: fef10f551031ee3d1de60ca11545b7d6520fd5233de58b9e23c9b6af59810f74
Opcode Fuzzy Hash: 1d8ca1ac9da35dd95607f88c7e6660f3f1569a30e293227282b5659b96e3f828
Instruction Fuzzy Hash: FF2145B9504600EFDF09DF58E9C0B67BF65FB84324F60C169E8490BA57C336D446CAA2

Function 011AD548 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1714997509.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11ad000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd60686a7790e82246feda9a96042776e04fd369d96d46a79237cf6f0816c33b
Instruction ID: 012bf589bbac18eb07d550cded5439a0eedcee491d34d3d88647c2ba89839bc3
Opcode Fuzzy Hash: bd60686a7790e82246feda9a96042776e04fd369d96d46a79237cf6f0816c33b
Instruction Fuzzy Hash: 182145B9500600DFCF09DF58E9C0B26BF75FB98328F60C569E84A4B656C336D446C7A2

Function 06491018 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2dde4c8d3fd0b95838f97ca47c5977cca86364c1268a8af2fcd3f7efc2b8512
Instruction ID: b5e2ab95c6e2961d36d18a524d7ecd918a6b19d7b947e6e6dcc00d9a3a2687ba
Opcode Fuzzy Hash: f2dde4c8d3fd0b95838f97ca47c5977cca86364c1268a8af2fcd3f7efc2b8512
Instruction Fuzzy Hash: 08219A75640A00CFC758DF39D58891ABBF2FF89214B1485AAE44ACB772CB31EC45CB50

Function 0649F73A Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b8e41d8bba5c49c119e3e35f71c92cd141892a8df38a97981d8a0da2b015fd
Instruction ID: 850bedf07c1f23742388bef3b5d72b295ad1472cc5f00d81e9e767424dc77897
Opcode Fuzzy Hash: e6b8e41d8bba5c49c119e3e35f71c92cd141892a8df38a97981d8a0da2b015fd
Instruction Fuzzy Hash: 7711E6359012149FDB91ABB89D899ABBFB9EB88311B45C4A7F408D7201EB30DC45CBF1

Function 064DFBC9 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3074eacb0574671baaa72336c8a53409ed94c8e9731b6b3e0c838eae2ee2483
Instruction ID: 9a887885e5d9c78f1698b929c5e58d704d84679105df4d208f40fc9a293ed495
Opcode Fuzzy Hash: d3074eacb0574671baaa72336c8a53409ed94c8e9731b6b3e0c838eae2ee2483
Instruction Fuzzy Hash: 9F117A35B052182FC792AFEA9C447AB7FA8DF86561F4041BBF459C7241EA308905C7E1

Function 06503C30 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d71440c09ec2845f8437071ffe4919df359a777bb6e88e8816a48b3dd048178
Instruction ID: 75442aaa35b8cce03fbc2e6cdc27ac63f1bce27300d235adba8c0fa4b4e4b7ad
Opcode Fuzzy Hash: 4d71440c09ec2845f8437071ffe4919df359a777bb6e88e8816a48b3dd048178
Instruction Fuzzy Hash: B821BE726146189FD715EFA8C844E9BBFF8FF05210F4055AFE186CB661EA30E984CB90

Function 064993D9 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c53105faa0284411bd82382604b344e69d5f468d0e5d4e13eebae6930b82cf3
Instruction ID: a514769eb891c9a490e3213adb56e1f8b5359e2a097494e29869c7b0e7c8ea97
Opcode Fuzzy Hash: 5c53105faa0284411bd82382604b344e69d5f468d0e5d4e13eebae6930b82cf3
Instruction Fuzzy Hash: 70215C343543018FCB55DB7DD480A1ABBE2EFDD21835585AAE15ACF32ADB30EC058B50

Function 064DF467 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb99052fe0032b60e7ca140621328989da66b4107ace42e4ecec5f377c0d6ee7
Instruction ID: 714ec82972c76ce857c3abe48a283b98f74bdd8db028e68d86ee845420ebd90f
Opcode Fuzzy Hash: fb99052fe0032b60e7ca140621328989da66b4107ace42e4ecec5f377c0d6ee7
Instruction Fuzzy Hash: A4219231605B549FC325CF2ADD40947BFE6EFCA314714896EE44AC7661DA32EC8687D0

Function 0649E521 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c73dcbeef57f2c45eead889784b6536225f2e29c8e4b0d9de6eeb0bd60952921
Instruction ID: bd8bb7560f2fe35d03636f68acbe4505ccf53a3b35946bbfca655df10ddeffdf
Opcode Fuzzy Hash: c73dcbeef57f2c45eead889784b6536225f2e29c8e4b0d9de6eeb0bd60952921
Instruction Fuzzy Hash: F311C0312407009FC715DB69C940BAABFA6EF80324F40892AE5168F765DB75ED89C7E0

Function 0650DCD0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22ba4e87827bd3233959a67a0abededdca56eea8098dfd30511f27b227de5962
Instruction ID: 9facc7c2559547665c3be980a1662763504d0a8d9d695ab456cbf9ac4d97c069
Opcode Fuzzy Hash: 22ba4e87827bd3233959a67a0abededdca56eea8098dfd30511f27b227de5962
Instruction Fuzzy Hash: 96216A357000159FD784DF69E888DAABBFAFF89620714816AE509CB3A1CB30EC01CB60

Function 0649BD20 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bf31694744dff5923307121989d1b5453eab358a23b01a934c23e971ff2449
Instruction ID: 8a366c87893f6b93305095a0a384ad318e06bd6b92d635e218f7509415ba907d
Opcode Fuzzy Hash: a4bf31694744dff5923307121989d1b5453eab358a23b01a934c23e971ff2449
Instruction Fuzzy Hash: CD21A5753002509FC7159B69D858D7BBFEAEF89711B10452DFA4687361CB36EC40CBA0

Function 064DBE2F Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba52f27f36c98d0d1a595ceb4465b86a8aeda789a3f413e26ffe4e909b37ea37
Instruction ID: 9e7f72ab585fedf49a596a82fc8b70843c4c17bb075472af6b0263f3019da30b
Opcode Fuzzy Hash: ba52f27f36c98d0d1a595ceb4465b86a8aeda789a3f413e26ffe4e909b37ea37
Instruction Fuzzy Hash: DE219D70E042589BDF15CBA6C8506EEBFF6EF89320F1880AAE541B7241DB759945CBB0

Function 06506708 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4943bde2d9acd12b7fcea7cc8d18d8abd66aa29c9573d73873c2b8b78433853
Instruction ID: 18e46a925b99c8e7c7598ba6d65f1babd23e15eb6f8ed9744ef901c860803ce0
Opcode Fuzzy Hash: e4943bde2d9acd12b7fcea7cc8d18d8abd66aa29c9573d73873c2b8b78433853
Instruction Fuzzy Hash: 6C212C346007008FCB69DF29D594A6AFBF2FF84310B008B2DD5568B7A5CB70E98D8B95

Function 064DF570 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 894f30daa021438beb8c6ba04de1ea94e481fba0d8edcbb429da01aae54bd2e1
Instruction ID: 74e056764b01e54feb72bffd9c3be031a6f8f5c85aa62abac26e51d83b866b27
Opcode Fuzzy Hash: 894f30daa021438beb8c6ba04de1ea94e481fba0d8edcbb429da01aae54bd2e1
Instruction Fuzzy Hash: BC218E30B006018FC7A49F39D4A962A7BE6FF88215714993AE42BC7B60DF35EC068B50

Function 06503667 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa8100f8bbce84ed9b556b0be5bc19f546a208fe227740359e559b732ede82aa
Instruction ID: 6ad4c7fb348bd304f9b0ca7978650bfb0ffd6dde2c7694e5196815d3f6f74693
Opcode Fuzzy Hash: aa8100f8bbce84ed9b556b0be5bc19f546a208fe227740359e559b732ede82aa
Instruction Fuzzy Hash: A8212571A10608CFDB18DFA9D959ADEBBF1FF8C310F14806AD405B72A0DB319984CB61

Function 0650BC20 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fbeb2b70a8748ae804122e5d8019d868bdfd2fccb14b1965eb99d5fd7a6e2ef
Instruction ID: 6f66b7b86ee462b80fbea5cb4c1da24bb11e18a7fc11d27337376df726dda3c3
Opcode Fuzzy Hash: 3fbeb2b70a8748ae804122e5d8019d868bdfd2fccb14b1965eb99d5fd7a6e2ef
Instruction Fuzzy Hash: EE21D435A203099FDB44AB64D848BABBBB5FF89300F10962AF546A7350EF71A844CB50

Function 064DF639 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f521aae25dec28e5de8bf1ebd68d090c9bd2064a847328bb9ef45216643975f
Instruction ID: 6dd8512882398351ea48c98927c27e03b7f02253c03144c4e16fa6e89689e0d3
Opcode Fuzzy Hash: 5f521aae25dec28e5de8bf1ebd68d090c9bd2064a847328bb9ef45216643975f
Instruction Fuzzy Hash: 8C11823120ABD06FC7728729DC504977F65EE8225131644DBE009C7963C221EC47C7F1

Function 064D9206 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05c0c1335bfb0f0f8e221daef196560154485c7a173a30b1bb78b8941fae126
Instruction ID: aab67398b91161ce80098453795d178edb160494415827b66f25eda4738d89d8
Opcode Fuzzy Hash: b05c0c1335bfb0f0f8e221daef196560154485c7a173a30b1bb78b8941fae126
Instruction Fuzzy Hash: EE219235B10208DFDB44DBA8C894AADBBB6FF88714F24416EE605E73A1DB719C46CB50

Function 064D0DFB Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7556fbf3717734bf0314bf8c2b64e386f802ccf69760e78041e23ab4461f46f
Instruction ID: a8ad557195fba8306e376f930009d5970015bfa0d07ee2fd7713a17ae9263be0
Opcode Fuzzy Hash: d7556fbf3717734bf0314bf8c2b64e386f802ccf69760e78041e23ab4461f46f
Instruction Fuzzy Hash: 3B21AE71905219AFCB12DFA9C8549EFBFB9FF49210B00056EE649E3202D7319906CBA1

Function 012095E8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbdc9401d9dd22efa41f76c232ee1f32463c7fe054f5f9d98041be9c0d594241
Instruction ID: 086c6fcc1fdcb56a21235a8fb5b1b1f0986d1f6d5d1f9bfe4c5a491731ae62e1
Opcode Fuzzy Hash: fbdc9401d9dd22efa41f76c232ee1f32463c7fe054f5f9d98041be9c0d594241
Instruction Fuzzy Hash: 151129301503414FC78ABB78D96466F7FB3EFC2354389947DE0568B6A6DE20AC4AC396

Function 064D9744 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74876e1492676b6af30479f73a705c271adc6031b8ad1d3d918bed93b4caae96
Instruction ID: 6cca88a0cef3d4c83a0740e7fef9994b0e495f2662d6e69736be2b8c43f2790e
Opcode Fuzzy Hash: 74876e1492676b6af30479f73a705c271adc6031b8ad1d3d918bed93b4caae96
Instruction Fuzzy Hash: 39216474E00209DFCB54DFA8D5906AEBBF2FF88314F20842AE50AA7354DB71A942CF40

Function 064D6D4F Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a0e10d03d9c85de815d67775b97f8adba3aea7b82d9d0c49d62a261a7ad103
Instruction ID: 64e7c1c9cf321b3c1806e3e5511af224344c5a65a8756f7e7cbedb88010f0255
Opcode Fuzzy Hash: 89a0e10d03d9c85de815d67775b97f8adba3aea7b82d9d0c49d62a261a7ad103
Instruction Fuzzy Hash: 20219031A1061D9FCF05EF68D8548DDBBB6FF8A310F00466AE505B7220EF70A949CBA1

Function 064D6400 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30148394d9a73eceb853a859cee1b83c4495eebb1a080dd3ce1fd306b750bcb6
Instruction ID: 96c658c66dd77f08f895af7de20cef812881080abf1226bc648b39dd53e30341
Opcode Fuzzy Hash: 30148394d9a73eceb853a859cee1b83c4495eebb1a080dd3ce1fd306b750bcb6
Instruction Fuzzy Hash: BA21BE30E007489FDBA6AF64D42C7AEBFB2BF45309F01455ED18287291CB782588CB85

Function 064994B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa7b8f08abe254a182662d3db749655bb77088053457e171c45e077f3e11be80
Instruction ID: 41cd610d136b11588fb7e59c05e705dd97e7f0787a8ff2a66d1b0ad3e802aaa0
Opcode Fuzzy Hash: aa7b8f08abe254a182662d3db749655bb77088053457e171c45e077f3e11be80
Instruction Fuzzy Hash: 88115B34B043059FCB45DFB9E8409AABFF1EF89214B0485AAE459CB365DB30DD45CB91

Function 0649DE61 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8e014a2f2ac7c40aea531b704fcda4c0856e96f21af90c7382743b63401919
Instruction ID: 834320ab94364313541aa38163afaa69261a0b326131802a51708c00fc77d987
Opcode Fuzzy Hash: 3c8e014a2f2ac7c40aea531b704fcda4c0856e96f21af90c7382743b63401919
Instruction Fuzzy Hash: 8A11CE31B052148FDB454FBA98802BBBFA6FFC9201F04807BE696C7399EF258C459760

Function 064DC418 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e93c1356af0e6ce7503feb106bfaa6be85d3148876c49e10b2aff70e01b1fb44
Instruction ID: 954cd00bfc205706f3eb351510de86ce3ee1eaeffa97930731d9dbd46b080242
Opcode Fuzzy Hash: e93c1356af0e6ce7503feb106bfaa6be85d3148876c49e10b2aff70e01b1fb44
Instruction Fuzzy Hash: 78119831A102189BCB159FB4DC14AEE7F75EF85710F00452AF546A7240EF719955C7E1

Function 0649D9E1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 991e023d02ae01cf6353ef5b72737cf6db8ef867dc757cd81c3833e5bb3f3add
Instruction ID: 11c4c75c6811d13d63206c2ba703c71b5d7757b20048f303e351f3b5c4b2da85
Opcode Fuzzy Hash: 991e023d02ae01cf6353ef5b72737cf6db8ef867dc757cd81c3833e5bb3f3add
Instruction Fuzzy Hash: DE1104323456645FCB16AB68F8408BFBFA9EFC5220304416BE5458B395DF20ED06C7E0

Function 0120669F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0784e6edcc3b673ec803265ddc514599c1ceb8932fb5833af0c630665e98496b
Instruction ID: 593e2756a0ee446c148b7c5026217b09917f5000ca1c6ad45a9bcc758889d136
Opcode Fuzzy Hash: 0784e6edcc3b673ec803265ddc514599c1ceb8932fb5833af0c630665e98496b
Instruction Fuzzy Hash: 4311E334F102049FCB189F7899487BD7AF6FBC4720F18826AD9159B396EF718D518781

Function 011AD6A3 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1714997509.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11ad000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
Instruction ID: 677af248f07fba1ca21e02116c72fd038b2e8fca06dcb06ed3290e8cb1c065ad
Opcode Fuzzy Hash: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
Instruction Fuzzy Hash: C121AE7A504680DFCF0ACF94D9C4B16BF62FB88318F2482A9DD490B656C33AD456CB91

Function 064D6410 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d27655326f02f7c2befecada9e5b0d182780b208efe045c88dd672c68894c28e
Instruction ID: bb1c9f3331c46ac529a6a2f673c14ed4b492b3c64fad42f7bcc3def6f0925235
Opcode Fuzzy Hash: d27655326f02f7c2befecada9e5b0d182780b208efe045c88dd672c68894c28e
Instruction Fuzzy Hash: E3219D30E00B588FDBA6AF64D52C7AEBFF2BF44315F00451ED59696280DFB86588CB85

Function 064DE619 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d79d607d379d8ac228c283e771131a79ad5b7ce12312850e5bbece4e25056fc
Instruction ID: 9a50c260e7f04444f0b46579c36902b7003a60d85f3787ad01bb38ff718576b8
Opcode Fuzzy Hash: 2d79d607d379d8ac228c283e771131a79ad5b7ce12312850e5bbece4e25056fc
Instruction Fuzzy Hash: D2115A76A006149FCB14DFB8D8448AABFF9FF89210B01416AE945E7321DA30A944CBA0

Function 064D83CF Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee00cc1466d76e2efe9844603c239dd85ec0c475683a6e8de5b30217a8ddd16
Instruction ID: 2c68fe6855313ca8b65d7bd8cbfedd43d42164e418658ab62fabd90ac8ddba5a
Opcode Fuzzy Hash: 1ee00cc1466d76e2efe9844603c239dd85ec0c475683a6e8de5b30217a8ddd16
Instruction Fuzzy Hash: D401ED316102016FC755DB2DE4008AEFBEAEFD53107448A6BE059CB72ADB30EC4A87A0

Function 064DDEBF Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cfeaa1ee9af882026ee4ea31bff0449bba7b1b19ed162037d73a324cbd5e986
Instruction ID: d8257b60c74e1de1c77e005a3b837833508f140d05aab455d6c53838a54f3c6c
Opcode Fuzzy Hash: 7cfeaa1ee9af882026ee4ea31bff0449bba7b1b19ed162037d73a324cbd5e986
Instruction Fuzzy Hash: 1911D235F005018FC754DF29D8E49AA7BABEFD5251314416BE505CB324DA31DC02CB90

Function 064D6D60 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be0905c9d99d313a14e1d99559478ff085c200fff1607174e3dca30251b112ce
Instruction ID: dad282d404657d4bee903bbbb8e2b305326898a8d150482ed3f52b589a35195b
Opcode Fuzzy Hash: be0905c9d99d313a14e1d99559478ff085c200fff1607174e3dca30251b112ce
Instruction Fuzzy Hash: 53115E31A1061D8FCF05EF69D8548DDBBB5FF89310B00466AE505B7224EF70A949CBA1

Function 012066B0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f35529f96e76de908ce4fd068c4eb2c7f9ba910771526ffb62995956ead918ad
Instruction ID: cb76d2c79ab1b991ff07808c12601350aebdf1489d4ee5c06202f65ef523c0c2
Opcode Fuzzy Hash: f35529f96e76de908ce4fd068c4eb2c7f9ba910771526ffb62995956ead918ad
Instruction Fuzzy Hash: 7811E930F002149FCB186B78954477E7AE6EFC4720F188666D9149B396EF719D918781

Function 011AD457 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1714997509.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11ad000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: b798f79b23888579e77e42d8f3eea98108b0838a6ee9faebf8b99e8717d8daff
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 3411DF76404240CFDF06CF54E5C4B16BF72FB84328F24C5A9D8490B656C336D45ACBA1

Function 011AD543 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1714997509.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11ad000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: dcbc7a1b97a241a486569899b3b02ad6cfff364a5be42a231b41c57c741cd960
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: FC11E176404640CFCF16CF54E5C4B16BF71FB94324F24C5A9D8094B656C336D45ACBA2

Function 06491E2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e370b28f44d958a4c7b03cfd22d1743ebd49a80348c08d2992e0a06bea2877f
Instruction ID: ab736251def3a701fa526c4e7e3647c78b6d2d93afbfb10164d33b8991ce53f5
Opcode Fuzzy Hash: 1e370b28f44d958a4c7b03cfd22d1743ebd49a80348c08d2992e0a06bea2877f
Instruction Fuzzy Hash: 69112134E50209CFDB44EFA8D959BAEBBB2EF88314F108559E515AB2A0DF70AC41CF50

Function 06491DC0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c036d0027de6b541c6b5894407e16d236b961db84834b3d183ca6f01285c91
Instruction ID: 2f6ed594020e76779aed72f1b09f33707b173781da3ec8ff4ef7605584586fc8
Opcode Fuzzy Hash: b9c036d0027de6b541c6b5894407e16d236b961db84834b3d183ca6f01285c91
Instruction Fuzzy Hash: 10213070E0020A8FCB45EFA8D8949AEFBB1EF44300F109556D429A7364EB349D46CF90

Function 064D0E10 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538f5cca1062f3ec02818e0b2984f254f9e1971de5d332de43ecec5b75f97541
Instruction ID: 600983e111c22b429c85e3cb62aa2375efd27293222cb86eb455f6ef6d4c7461
Opcode Fuzzy Hash: 538f5cca1062f3ec02818e0b2984f254f9e1971de5d332de43ecec5b75f97541
Instruction Fuzzy Hash: FA113D71E002199FCB11DFA9C8449EFBBBAFF89210B10452AE609E3301D731A946CBA0

Function 0650CCD0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55f37335d864669f3ce08db71f47efaf95bae6e18ba096d967eff6a9b39331e8
Instruction ID: 253636d06d32070dedc55872bd6e5ccea46460dee3df5c36d039982f50396706
Opcode Fuzzy Hash: 55f37335d864669f3ce08db71f47efaf95bae6e18ba096d967eff6a9b39331e8
Instruction Fuzzy Hash: E0210775904249EFDB41CFA8D844A99BFF0FF09310F148599E919DB2A1D332DA61EFA0

Function 0649BD10 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ee48d06537738b1c622ceae21a9caf67827ff912e5557a16314b0b862e4786
Instruction ID: 80295b0796cc21c449bea3146f4c79ab5433f106befbb5fba7965ca4b8b26113
Opcode Fuzzy Hash: b6ee48d06537738b1c622ceae21a9caf67827ff912e5557a16314b0b862e4786
Instruction Fuzzy Hash: 7401F9342056906FC7269B29DC54E7B7FEAEF8A211B00815EF68687351CA75DD40CBB0

Function 064D8FE2 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62cb8c965be0bb5b2f2d28c5bcfbacbd581c5ed6129971e18eae43ff63031846
Instruction ID: 58d2a21cd1087d7dc88a13d68017f0a76a11a9b6e0ebd68b68a6d18e56279c80
Opcode Fuzzy Hash: 62cb8c965be0bb5b2f2d28c5bcfbacbd581c5ed6129971e18eae43ff63031846
Instruction Fuzzy Hash: 4F11CE71A00B099FC751DF69D880897FFF5EF8A210700C66AE4599B211EB30A909CBA1

Function 06499FF2 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7223057f723f2c56a069a1d586539e4f192974316bfd7930e4fbf000adffeae2
Instruction ID: 61f997a5c6ab634ac1069364dc26e103f5c002f9ca863b41d3e41e6a377f6807
Opcode Fuzzy Hash: 7223057f723f2c56a069a1d586539e4f192974316bfd7930e4fbf000adffeae2
Instruction Fuzzy Hash: 29014131B413009FDB569F7099056BF7FA6EFC2209B04856AE8059BB80CF30EC0AC7A0

Function 0650CC30 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d106ed918bd5b21324e6b7ec666ca4135342651cca62744eb35d3768504b7b1a
Instruction ID: 7101e348a5b329c26f8abb2d64237b6cd868183367fdffafc1d869f58aeae801
Opcode Fuzzy Hash: d106ed918bd5b21324e6b7ec666ca4135342651cca62744eb35d3768504b7b1a
Instruction Fuzzy Hash: 6E01E131A006549FDB258BA5D914BEB7FF6BF89300F044529E452AB291CB358944DBB0

Function 06491DD0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea3e78202a1ce3ee1f38ac2e5798c20322b09b1f0111c62b1d4a70e8c8b7cd2
Instruction ID: d07882a130a38a455fe13b25af26f4918499854eaad63e60841bfba9155c78a2
Opcode Fuzzy Hash: bea3e78202a1ce3ee1f38ac2e5798c20322b09b1f0111c62b1d4a70e8c8b7cd2
Instruction Fuzzy Hash: D911FE70E0020ADFCB45EFA8D8549AEFBB5EF44300F10856AD429A7364EB34AD46CB91

Function 064D9761 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d36818c1fc1eb54c86d81c63838ce4cc72a7c933d2da45521279093e77dc809f
Instruction ID: fb50966b0dc2df9e232d4831dda76878fe3eca8c51104b71c8a29a9dec31f714
Opcode Fuzzy Hash: d36818c1fc1eb54c86d81c63838ce4cc72a7c933d2da45521279093e77dc809f
Instruction Fuzzy Hash: 20113374E00219DFCB44DFA4D5906AEBBB2EF88314F208429E54AA7394DB75A842CF90

Function 064D6B17 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2951c580b8dd6288e1938827a21259656824990774a72d26b6f7f3b9866aed1
Instruction ID: a4a89ed986abf79aaf648736ee4da194292bd68757336d867e92295ff4ccc07e
Opcode Fuzzy Hash: f2951c580b8dd6288e1938827a21259656824990774a72d26b6f7f3b9866aed1
Instruction Fuzzy Hash: 9A11F375E00229CFDB54DF69C898B9DBBF1BF88308F1584AAE505EB3A1DB709945CB40

Function 064DE628 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c06f277999bee82a2f72f92edd215ee6385e9023f728f9822f836ccfdf2a4dd
Instruction ID: 598c69303aadc43a1c67f2fb623fbb13bfa56a488c7ef3ec9861971bc14ad5eb
Opcode Fuzzy Hash: 1c06f277999bee82a2f72f92edd215ee6385e9023f728f9822f836ccfdf2a4dd
Instruction Fuzzy Hash: 8D012D75A00615DFCB14DFA8D8448AEBBF9FF89210B10416AE905D7320D731AD44CBA0

Function 064D2E50 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde2d15602489e71e18f37319c5593fcca4b3bae88671e65ceeab3314d32f752
Instruction ID: d42e3ff4c1fa8af3b1f34c4b4b7324e1b371b97338ec545f0371dd16d42bb44c
Opcode Fuzzy Hash: cde2d15602489e71e18f37319c5593fcca4b3bae88671e65ceeab3314d32f752
Instruction Fuzzy Hash: A8F02473B0121257D7205AAAFC889ABF79FEFD8631B14803BE709C3702DE75880182B0

Function 064D2911 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad81dcf857072ed9e51b805bd47f3f86e6fb716ac26081b16fe91455c303e764
Instruction ID: 3d722a9eb377326a6392c022c535ac9b1597ca0c2aca4fb6ff887f083a456b8b
Opcode Fuzzy Hash: ad81dcf857072ed9e51b805bd47f3f86e6fb716ac26081b16fe91455c303e764
Instruction Fuzzy Hash: 300126312002159FC7059A58DC58AEBFBAAEBC9311B04863BF51ACB391CB70AD08C7E0

Function 0120FF07 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01fa5c2fc5cca3032bf9041aa852c4b4f31aa420bfe4a8bb825706322eaa4c33
Instruction ID: b686056ef233b7fb08fe113862a12204c831006f7fe8e145b7a8c9e724b8beb6
Opcode Fuzzy Hash: 01fa5c2fc5cca3032bf9041aa852c4b4f31aa420bfe4a8bb825706322eaa4c33
Instruction Fuzzy Hash: 2E111578201B019FC325DF29D580A46FBF1FF893143108A2AE85A87B05DB31F85ACBD0

Function 064D2C18 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a0dab107e5a1a1f3a01765071ec7a31d10f2bed1a4d33b1ee2066b1c6acda95
Instruction ID: ad9f58e12f24055b7379afafce32bd5e493419e5ad08ab1b11b7b58cdac39552
Opcode Fuzzy Hash: 7a0dab107e5a1a1f3a01765071ec7a31d10f2bed1a4d33b1ee2066b1c6acda95
Instruction Fuzzy Hash: B90126316003401FD71A6B64DC505BFBB7BEFC1250B04892AEA128F351CA719D09D3A0

Function 01209618 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1937cdf1a9313892729441f818e903f10e2df7c343d4b73c5e1213be8981e066
Instruction ID: 1d0a248b5cd4e671a6e339c97ccb15f4f94684f2bb886a228ee8c63b44f715c9
Opcode Fuzzy Hash: 1937cdf1a9313892729441f818e903f10e2df7c343d4b73c5e1213be8981e066
Instruction Fuzzy Hash: 6F015E312603054F878DAB78E69867F7AA7FEC5294384692CE02787794DE70AD4AC781

Function 011ADAD5 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1714997509.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11ad000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b71e6772af422134780cb55e4105e943db32daa9179092af0ba380b67d3ff6
Instruction ID: 281104f456e2b8f2181982e68d12bf32ccf67d9695e14f02c27315bb8884b316
Opcode Fuzzy Hash: c9b71e6772af422134780cb55e4105e943db32daa9179092af0ba380b67d3ff6
Instruction Fuzzy Hash: 56012B35108B409AEB198B69DDC4767FFDCDF42324F58C46AED094A687C779D840C672

Function 064DE6D9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28f8a10c314a5ab42f2c7d1e3c92fe44926dbcd04b012635cb8f67803b23993a
Instruction ID: 95bfbee3d0585be859117821a541efc83b094e1884874050ce1eb3b404946813
Opcode Fuzzy Hash: 28f8a10c314a5ab42f2c7d1e3c92fe44926dbcd04b012635cb8f67803b23993a
Instruction Fuzzy Hash: 01012C3690015AAFCB01CFA4DD04CEFBFB6EF4A310B1541A6E608EB171D6319A19CBA1

Function 0650B270 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3697c8273bc66b7d50382f0349f0b960e74eaa81855f68e8aa6bd1e8f47f0cd
Instruction ID: 65708c4c9d4409e94f3534dcc9eb3f1c25147855f8f2c98aad081b48ef697023
Opcode Fuzzy Hash: a3697c8273bc66b7d50382f0349f0b960e74eaa81855f68e8aa6bd1e8f47f0cd
Instruction Fuzzy Hash: E701C4353505118FC704DF69D884C59BBE9FF99B1131644AAEA05CB372DA32EC11CB90

Function 0120FF18 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ae9fc022a447925ffa3a0fa6220421af676c5bb35ef81c123faa1259bd4a128
Instruction ID: a8ef0ef1eb7566ab7ec194bad3c51df27353e49f4597b66b637ba160f4a2a903
Opcode Fuzzy Hash: 4ae9fc022a447925ffa3a0fa6220421af676c5bb35ef81c123faa1259bd4a128
Instruction Fuzzy Hash: CF01D778201B159FC324DF29D580906FBF6FF893143108A29D85A87B14DB31F859CBD0

Function 064D47C2 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a54807ad6d361abe6532ab308c87e49e13ac5e667dd6cca879e86d8dcd639737
Instruction ID: 53e61209380e2ab5a95c8b7d766e74cff7fd91fd10594e118b766f7868c79414
Opcode Fuzzy Hash: a54807ad6d361abe6532ab308c87e49e13ac5e667dd6cca879e86d8dcd639737
Instruction Fuzzy Hash: A301DE38D0829DAEEB15DBA5C814BAFBFF5BB46340F088416F011B7281CB784845CBA1

Function 0649B651 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c40354011a149802802f2535db28ed67da10b3225a18e0f9be8aee69a255948
Instruction ID: 78ce831f0ac3c9ff77faaf0d9847f0c92d3b854630c5cf326c2aed4ff815c40f
Opcode Fuzzy Hash: 2c40354011a149802802f2535db28ed67da10b3225a18e0f9be8aee69a255948
Instruction Fuzzy Hash: AEF0FF32B086256FD7459BA4A8045BBBFE6FBC9210304406AE405C7300EB20AC01C7B1

Function 0649B660 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 927cba93878886ac288e83433d172073be18786348da827ab88c4d7dc9b04995
Instruction ID: abaa82e90b41a1e99efd9c027258eceb76eb709ec972e0071d1dec5a07ebb81b
Opcode Fuzzy Hash: 927cba93878886ac288e83433d172073be18786348da827ab88c4d7dc9b04995
Instruction Fuzzy Hash: 160181717042155F8798ABA9A81456FBFE6FBC9250304442EE506C7340DF31AC05C7A5

Function 0649A000 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd6d9aeaf61d9456681a70cbcc645d069be8f3ada4c7ac80da766a4a310fbf48
Instruction ID: f7a222c379c2a75b461863df4503bccd119246bae41d79747f55bdb97ad9c647
Opcode Fuzzy Hash: cd6d9aeaf61d9456681a70cbcc645d069be8f3ada4c7ac80da766a4a310fbf48
Instruction Fuzzy Hash: 6A012130B403049BCF65AF75A80566FBBA6EBC2604B04853ED8019B780DF31E809C7A0

Function 064D66B1 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e763c3502bdbe0eac7c407397b158899d38259fd9c1803b7d754b705a22d43
Instruction ID: 34abe70853b5dbecfbcd85343322cbcd72de52a304e436973e38d5213067e228
Opcode Fuzzy Hash: 48e763c3502bdbe0eac7c407397b158899d38259fd9c1803b7d754b705a22d43
Instruction Fuzzy Hash: 8E1117B4D0060EEFDB40EFA8C459AAEBBF1FB48704F10856AD419E7210DB759985CF91

Function 0650FF30 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384f192ea156c5bc716d40225607d5a2c02396e3395b6a1413f8142717f20f57
Instruction ID: edde61884625cc8942ac0793097fafd751d0c1b60e86b81f2ab6635e24cc3ee1
Opcode Fuzzy Hash: 384f192ea156c5bc716d40225607d5a2c02396e3395b6a1413f8142717f20f57
Instruction Fuzzy Hash: 2BF04C306067C14FD7795734891A69B7F65EF83314F08098EE883870D2CAACD98DC750

Function 06498C30 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d7b3b6b560a5535fb639f11897cea8ffb3a69b4edb11a09d8717e3e7950803f
Instruction ID: 8ce7d3d1e4eda124c935baab3d171022b6b43f649fa65591c2a93cb0f0c84dee
Opcode Fuzzy Hash: 7d7b3b6b560a5535fb639f11897cea8ffb3a69b4edb11a09d8717e3e7950803f
Instruction Fuzzy Hash: 4CF0BB311452486FDF415A5DAD409BF7F69FBC2650F44492BF9158F101DB319D04C7B1

Function 06491BC0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1bcc0dffc8a767859f05d12ab1d9bb6abdecabfa614d10e8684027a5cf51aaa
Instruction ID: b377dc5a8ed7d75237943889cd9706948bd5e8fd7af6e009b60a788e14835412
Opcode Fuzzy Hash: b1bcc0dffc8a767859f05d12ab1d9bb6abdecabfa614d10e8684027a5cf51aaa
Instruction Fuzzy Hash: BC01D271E4820AAFDF11EB65D8457EFBBB4AB04300F144426D401A73A8DBBC9545CEA1

Function 064D5B68 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a4541dc15bfa82fd28226749f7da0ac1c3a9819a5f2d0b71550666facfaf12
Instruction ID: b781fa1a2286f8c3f6221e03a7d9ecf6db0e8c9ffaf85019ab888c9ad28a3ae8
Opcode Fuzzy Hash: 91a4541dc15bfa82fd28226749f7da0ac1c3a9819a5f2d0b71550666facfaf12
Instruction Fuzzy Hash: B9012631705340AFD3291B64C85879ABFA6FF81314F54146ED24A4B682CF726C45C760

Function 06500E01 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c7b1afc7015cecafcf799994f96632fe6a68a191fbfd2b4459782123ce1e155
Instruction ID: ff29467679967c58507e65a623613ddfe60a3fdad853f1f6fbca0f7e0ece9706
Opcode Fuzzy Hash: 8c7b1afc7015cecafcf799994f96632fe6a68a191fbfd2b4459782123ce1e155
Instruction Fuzzy Hash: 39F06279304610AFC715CB58E988D6ABBEAEF8D22532541D6F509CB376CA21DC01CBA0

Function 0650CC40 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6cc8a1d5ce07216e3ef93139a7173999e8c2ca6a8be11d6e830d6fefac6e64
Instruction ID: 6e58c6b36fca87949ff9160c333711cb551a056efcbf922a8eff00769b256939
Opcode Fuzzy Hash: fb6cc8a1d5ce07216e3ef93139a7173999e8c2ca6a8be11d6e830d6fefac6e64
Instruction Fuzzy Hash: C801D431A042689FDB25CFA5D904AEEBBF6BF8D300F04456DE552A7390CB369900DBA0

Function 01206760 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1061d156abcc079cd64210efa062d9543d88215c3add0bd89ecb60eb62a15fed
Instruction ID: 5e62eb936aa754dc2d803aba9a1908c957c1c93a726724aa5982923cb8d26115
Opcode Fuzzy Hash: 1061d156abcc079cd64210efa062d9543d88215c3add0bd89ecb60eb62a15fed
Instruction Fuzzy Hash: F801AD30A10229CBDB19EBA8C4047FDBAF2EB8C301F10012AE501F7291EF754D54CBA5

Function 06491BD0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cea44f4a37ea6add4d58380175a0dc93ccf87b55e9ab67ec34e9eb2f77fd074
Instruction ID: a16cb33b469b4c2df59ffdeff5f6e093ce41a2262a7f74eaace5a3fe0f969a78
Opcode Fuzzy Hash: 1cea44f4a37ea6add4d58380175a0dc93ccf87b55e9ab67ec34e9eb2f77fd074
Instruction Fuzzy Hash: 5201BC35E4821AAFDF51DBA5D8447AFBBB4AB44300F004436E801A73A8CBBC9645CBA1

Function 064D8370 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e866821303c17e12294b6cac68b765bf83000668158010e30c8bf9497a500e
Instruction ID: 03000a7a2e4983b412424d3f9149dc91b63048cc2520100ee12938a1be149b9b
Opcode Fuzzy Hash: f2e866821303c17e12294b6cac68b765bf83000668158010e30c8bf9497a500e
Instruction Fuzzy Hash: 9BF09A383042186FD7159B29E854DBFBBAEEFD525030581ABF8418B326DA60DD468BE0

Function 0649A190 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddaeacac1bde6734f74531af548d50b3b89c482d41549ae24693cf3f4fb07789
Instruction ID: 4d462e6b08bdf6394629cb408bed253366769b259edc7bf590e92970df063506
Opcode Fuzzy Hash: ddaeacac1bde6734f74531af548d50b3b89c482d41549ae24693cf3f4fb07789
Instruction Fuzzy Hash: 77F0E21676E3A40FC34627781C690B93FA1EADB24038948DBE942CF296DE148C47C3A1

Function 06492FA0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1cb15bbc217ac3b7d7491df4ef950cf4728dbcc4bfae3ed402c763b00d7d790
Instruction ID: e43bdf8f2d620bb3dc5b21485e9b81456a17a0bd6b46b8e7a7a746e05c15474d
Opcode Fuzzy Hash: c1cb15bbc217ac3b7d7491df4ef950cf4728dbcc4bfae3ed402c763b00d7d790
Instruction Fuzzy Hash: 4101DF70E84209AFDF45EFA8C41536F7FB0AB02308F40445AE09197BC9DBB84904DBA2

Function 064D8FF0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dff63581e57619bef000c52403c78ca8db6222306da5ecb4fbd530b33c55cb0
Instruction ID: 845f71a4dc54fc2b5c62ce7ac504cbcc7dcf66adc86d15491e641b8e3b90da0d
Opcode Fuzzy Hash: 9dff63581e57619bef000c52403c78ca8db6222306da5ecb4fbd530b33c55cb0
Instruction Fuzzy Hash: BA016D75A00B099F8754DF69D88089AFBF5FF89210700C62AD55997314EB30F959CBD0

Function 064DFC40 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6610893f7e20a16a1a834de205f4bc6d40076594bef86cbae8812652208ddb6
Instruction ID: 3883e66ecc372509585ad9b0597fdb3ce00cb79603937691d79b429649f670b8
Opcode Fuzzy Hash: e6610893f7e20a16a1a834de205f4bc6d40076594bef86cbae8812652208ddb6
Instruction Fuzzy Hash: AC01DF74E442099FD790EFA8C42536F7FB5BB01B08F00419AE816A73C5CBB94919CB81

Function 064D9990 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b32b79ca1cffa4105355a91f1bd1285cdd9183cb05aff397935f7650bcaa4bc
Instruction ID: 3a17eed546ad6fe90a2a46684da9fe7e8a744b6daf2eb0a705af48ad0c6b8d44
Opcode Fuzzy Hash: 7b32b79ca1cffa4105355a91f1bd1285cdd9183cb05aff397935f7650bcaa4bc
Instruction Fuzzy Hash: 10F0F461A0E7D04FE39743681C356A63FB19B97240B0A80DBE089CF6A7D6488C0AC726

Function 064DD4A0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 108ed0d8ffb940eda884cd0ca864ecc427d18fb392efe80b63e4dcd02ddea121
Instruction ID: 6ca512a72911482dc84751e01c56d1f901154773c1eee838977b1177db001463
Opcode Fuzzy Hash: 108ed0d8ffb940eda884cd0ca864ecc427d18fb392efe80b63e4dcd02ddea121
Instruction Fuzzy Hash: 9701D671640B049FC364DF2AC98495AFBF5FF88310B008A2EE44A87775EA71E8498B94

Function 0650C775 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc59cd379a72d3042f337578eb8b37bad65be84125cbe43720492dce0387e9b6
Instruction ID: 49f3c6d26add90ffa93cfe36927d91d50da5ac086a835e5dc0addb44de78e7d4
Opcode Fuzzy Hash: cc59cd379a72d3042f337578eb8b37bad65be84125cbe43720492dce0387e9b6
Instruction Fuzzy Hash: 91F0F030A06354AFC741EB789C1A6EE7FF1EF4A610B0004AAE509D7242E7354A00CBC2

Function 06505C7D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29b85088eb6502bd8ef65cc5d1d532f4f7c0f8768b563653312f201136eea580
Instruction ID: 946e3d7893c14a79a453d9c0a83c5ec8acd5c2933a181c5fbf2d0b3857a75448
Opcode Fuzzy Hash: 29b85088eb6502bd8ef65cc5d1d532f4f7c0f8768b563653312f201136eea580
Instruction Fuzzy Hash: D3F08C397405018FDB85DB64E5446AD77B2FF88220F29406AE806DB3A0DF31ED06CB80

Function 011ADAD4 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1714997509.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11ad000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed1217d3ec4b9e85c17eaf78d2eb75f984426f5ab45bfca048740eaa42741580
Instruction ID: 4c7dc6b7e7e5d969bc010d503e08b2d303d40451d8a6998484f21f376caabfa5
Opcode Fuzzy Hash: ed1217d3ec4b9e85c17eaf78d2eb75f984426f5ab45bfca048740eaa42741580
Instruction Fuzzy Hash: 17F0CD71008740AEEB158E1ADCC4B62FFE8EF81624F18C45AED084A687C3799844CAB0

Function 064D66C0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d86d8cab87bf5891d504cd8ae632d00fc931d29b25b3306e83eef0c261c746
Instruction ID: a657397293807992044708afdeefeed084ffec5a5b4492a20a5986ddc86cc061
Opcode Fuzzy Hash: 33d86d8cab87bf5891d504cd8ae632d00fc931d29b25b3306e83eef0c261c746
Instruction Fuzzy Hash: 500108B4D0020ADFCB44EFA8C0596AEBBF1BF49304F10846AD919E7250EB759585CF90

Function 064D47D0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a88d2fe1407478b03985a2aec86e71347639165ecd6fb8f05a0f5c4d42918aa
Instruction ID: 3d48af8d5a7e385c8ec883f0bc4f64a4c4af9d6530a615c96176f4673bd938a9
Opcode Fuzzy Hash: 0a88d2fe1407478b03985a2aec86e71347639165ecd6fb8f05a0f5c4d42918aa
Instruction Fuzzy Hash: E001AD74D1829D9EEF15DBA5C8247AFBFF17B46340F089026E412B2281CB795589CFA1

Function 064D5B78 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9adf731b8e11983419f4e892fee840ec1cc3dcc3f373a2b0517f90dcfef4df1c
Instruction ID: 6e6a7d055d753c392d9f9954f4e0d51c1768589d680f5df073773c0fec4765f8
Opcode Fuzzy Hash: 9adf731b8e11983419f4e892fee840ec1cc3dcc3f373a2b0517f90dcfef4df1c
Instruction Fuzzy Hash: 6FF0F630705750AFD3691635D45875BBF97FB81614F50242ED287877C1CF726885C750

Function 06505C98 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b5e5adde611bbfee666577f25ebd542d4aff6aa92c1b69e3d9df756c2f3e3a
Instruction ID: b6cc749548e1be4c7b8e44fd27124c35593b3d9646fbd26c33295e173390a7ff
Opcode Fuzzy Hash: 21b5e5adde611bbfee666577f25ebd542d4aff6aa92c1b69e3d9df756c2f3e3a
Instruction Fuzzy Hash: DAF03C712502045FC355EB69DA4095EFBA6EEC5210790CA39D05A4FB28DF71FD4A8BD0

Function 064DE6E8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b06a9f7430ffdd773404545ff426cadc14f2bfb1311121c5b4522049fd9f162
Instruction ID: 0f7ec1a6dc5c61fdf4192b29f42ae6281c3a59bfb5d690749b30e0eef77d781a
Opcode Fuzzy Hash: 8b06a9f7430ffdd773404545ff426cadc14f2bfb1311121c5b4522049fd9f162
Instruction Fuzzy Hash: 94F03C3690010AEFCF00DFA8D904CDEBBB6EF49310B1041A5E618EB270D731AA15CF91

Function 065035D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1defb34151795cb309140c1524d43ed7704a4d1927359effa15aacad6659396
Instruction ID: a50de40b7b2084fe5e0f3752b4b902d0d154eb8ca20afdae729e00e431cde10d
Opcode Fuzzy Hash: c1defb34151795cb309140c1524d43ed7704a4d1927359effa15aacad6659396
Instruction Fuzzy Hash: 85F03A75C056299FCB40EFA9E8056DFBFB8EF05350F508166E919A7201E2308A55CBD2

Function 0650EF20 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4289fece9de8e632e1b21dc0ca11f6d8823259788bf5ba60470d8af784bb93e6
Instruction ID: 11d912551dc79946ba9799dfb580b243fcda1309aaa798f924c84f4a14c54bb8
Opcode Fuzzy Hash: 4289fece9de8e632e1b21dc0ca11f6d8823259788bf5ba60470d8af784bb93e6
Instruction Fuzzy Hash: BDF06D767103508BC784AF68F4145697BABEBC5232314866AE12AC73E8DE208C018B92

Function 065020C1 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6f9756b2f3f1614828a5811094e8c8b840364f6669234e308f337cbcf13601e
Instruction ID: 144adc5de00cb1210b7de57afdfce8d87a850aec2b64f01b35529b9493e26927
Opcode Fuzzy Hash: d6f9756b2f3f1614828a5811094e8c8b840364f6669234e308f337cbcf13601e
Instruction Fuzzy Hash: 33F03735205A549FC315CB29D858D57BFA5EF8962431982E5F14CCB362D632DC43C7E0

Function 0120D469 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f7b09e9f61337276a206df0a9a5138385175e1dfb40e6d3338f54b5f0c7e32d
Instruction ID: 593010d744bb34057a625078eed913e5800f1392dadb54b5c2a4f5631e63a65f
Opcode Fuzzy Hash: 3f7b09e9f61337276a206df0a9a5138385175e1dfb40e6d3338f54b5f0c7e32d
Instruction Fuzzy Hash: 9DF0E53131A3995FC71753BA691047A7FB9DDC322030500B7DA48CA393EE28DC0683A1

Function 064DF6C0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1442e8480029f7dc1e169f2ec36ea8ff63ec40191b4dfa8e3ad492b35aea54cd
Instruction ID: 44619ca174d75539ae9c9478d93c69db87cd24f756b41d7cd449e0289a9a40d6
Opcode Fuzzy Hash: 1442e8480029f7dc1e169f2ec36ea8ff63ec40191b4dfa8e3ad492b35aea54cd
Instruction Fuzzy Hash: 29E0ED367512148B4B6566BDB41446E779BDAC45A2354447FE60EC2A50DE71C8068690

Function 064DAD3E Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 918056e4805908daeed3b7cd2c201a46092c31590a41ee6830b7146725b319f8
Instruction ID: 6c06043b66ec66481f248df3e43baf6d63af8e545be03a0955ad5c561444ed5a
Opcode Fuzzy Hash: 918056e4805908daeed3b7cd2c201a46092c31590a41ee6830b7146725b319f8
Instruction Fuzzy Hash: F3F027356043208FC3218B29DC949163FE1EB8526931980BEE05AC7671C121EC82C760

Function 06500E10 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db771bca799baba652f3495288a135456f51b375dcf32a8b15d681e392dddf70
Instruction ID: 99ce8d71ad21c48587f22853675d803e9d65f4681cd4b2eb01175b448958951d
Opcode Fuzzy Hash: db771bca799baba652f3495288a135456f51b375dcf32a8b15d681e392dddf70
Instruction Fuzzy Hash: 1DF0DA793101149F8704DB59E488C2ABBEAFFCD6253254195F509CB376CB61EC01CB60

Function 012086FF Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8197487509158537344cf809bbb9bd43695b87b0cbfe45e78788c8c06dc8c0
Instruction ID: ddd75fe4d79f8cbfb0582397566b699a8657cd154e188ff590fd7bcaddd720f2
Opcode Fuzzy Hash: ea8197487509158537344cf809bbb9bd43695b87b0cbfe45e78788c8c06dc8c0
Instruction Fuzzy Hash: 18F0EC376181A09FC707A738ED296EF7F70DF92111B0910E6E0868B1E3D6244559C7E6

Function 01208F20 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36c20a15260636538750bc1aafd24c4c7eefdfd2f659c4c4e341ebe41d5d9a0
Instruction ID: 0da0f5238096c3fd9cadd9d62c7775b54d2f35ff9a0034b82b44a951c8cbecbd
Opcode Fuzzy Hash: a36c20a15260636538750bc1aafd24c4c7eefdfd2f659c4c4e341ebe41d5d9a0
Instruction Fuzzy Hash: 71F0A7316142199FD709D6B8E4557EBBFE9DB44125F54416AE608C33C1DF32D901C794

Function 0120FE71 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae5ecee3e56646db584487f32263f4d03e292a31d6e415ec6083af7f64fbc50e
Instruction ID: da7ca019542ab8e3cca1537385b066318625fd21fa81d8d3dfc965bc2a0d570f
Opcode Fuzzy Hash: ae5ecee3e56646db584487f32263f4d03e292a31d6e415ec6083af7f64fbc50e
Instruction Fuzzy Hash: FDE092B391A3811FE34386B8DD227CB3F618B42221F0586E7C885E76D2EA64C9058367

Function 064DC3BF Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78cf55bab010604907e5fe60b7f3c52ee7ff4a08078bceeba1e5f7c8b357d5e4
Instruction ID: 14f607f0dbfdbc5639eed9b0f91f54d703c719a05e3ff4ddc49c668f3e02561b
Opcode Fuzzy Hash: 78cf55bab010604907e5fe60b7f3c52ee7ff4a08078bceeba1e5f7c8b357d5e4
Instruction Fuzzy Hash: 4DF0E9327086445BCB016E659C608AF7FBAEFC6210F04482FF99597252DA328811C7A1

Function 064DC831 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf540e04be261dc4af553f0a38738661877a34a67840b8394a7186c0315b267
Instruction ID: d1714a3f9073f63ad67b2c834012ba9748ba6d8dca28a86156c58cbe89b1c590
Opcode Fuzzy Hash: 7cf540e04be261dc4af553f0a38738661877a34a67840b8394a7186c0315b267
Instruction Fuzzy Hash: 51E06D32B45110AF96658A6F9894F93AB9DEB95A32728813BF00AC7361D521DC01CAA0

Function 0650E078 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4300376fe020073bdc2dd54c3db4ac865d548e04fa1c1e895515b19d70616e05
Instruction ID: a45f003d62b72e11dba7351371e6213ff26665d03ce5917df18a48ca0b228784
Opcode Fuzzy Hash: 4300376fe020073bdc2dd54c3db4ac865d548e04fa1c1e895515b19d70616e05
Instruction Fuzzy Hash: 86F0A0317552805FE32696789454AE7FB99FB85310FA808AAE145CF2E1CB20DC55C360

Function 06508F47 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8da94506fa62d9b542ec00706a8528e4d9918af86e8ea0576eacbe6c176af7f
Instruction ID: 6f5ca0102d346f32c597fe2eed7d3f6de7c4f9fce320dad344a00f10fd05c2e3
Opcode Fuzzy Hash: a8da94506fa62d9b542ec00706a8528e4d9918af86e8ea0576eacbe6c176af7f
Instruction Fuzzy Hash: 93F06C35B04318AF8715DA7A9C5599ABBFEDFC52513058067E509C3245DE30980187A5

Function 01209717 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e434f5e477ba3c380f2e0e887b923cdf9217ef6f689b529f09042dfaa63828
Instruction ID: a873381b91650942ed0bb10749d9a660242ebc44c83faaadbb06fe1afc8c8b72
Opcode Fuzzy Hash: e1e434f5e477ba3c380f2e0e887b923cdf9217ef6f689b529f09042dfaa63828
Instruction Fuzzy Hash: 52018C70502B058FE726DF61E549657BFF1FF88301700EA6EE48A87A65DB30A849CF80

Function 0649B6D8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d45b0401af2dd2ac21f9385bc85af86b4ec5d96b59c8c4c6b00cf3eb791f4c8
Instruction ID: 81f0cc45f6c3260859d00f292f7a6e4541e70574a1fb73491ec68318a0a51b99
Opcode Fuzzy Hash: 3d45b0401af2dd2ac21f9385bc85af86b4ec5d96b59c8c4c6b00cf3eb791f4c8
Instruction Fuzzy Hash: C0E02273B043101B5727492B3C848BBAF5AAED457030683B3E648C7386E9148C028271

Function 06498BC1 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c12996d3d165829e54bdc4f1d3af038a170a3b48864662a49ae9e8395c1a9a1
Instruction ID: b64f84659d08ed1e8fe1d81e63bd663193e16a31962d0824e7eb1b28fce613ac
Opcode Fuzzy Hash: 3c12996d3d165829e54bdc4f1d3af038a170a3b48864662a49ae9e8395c1a9a1
Instruction Fuzzy Hash: 2BF030312446549FC715DB69D854C6ABBF9EF85204309859AF146CB322DA60FC40C7A4

Function 064DB622 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb42daff03cfb0a3ebe2cde5e15f8b596d92411a566060602e1b98f2164dcda1
Instruction ID: 75b759c829756914d272a0d0f56a5d45531850d9bf0b455f50482aea5fbdaccb
Opcode Fuzzy Hash: eb42daff03cfb0a3ebe2cde5e15f8b596d92411a566060602e1b98f2164dcda1
Instruction Fuzzy Hash: D8F0A072724108EFDB01DF44D891CBF7BBAEBC8620F00810AF60686250DB31A8529B90

Function 064DC3D0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062da42ff1cba6d147bbb02191a2bb5e107edcb04785319e7e6eac55c1395bbb
Instruction ID: 51e795f7388e195575918ff9962d5993d349f0d8ab209e6923bbfc83ac60ee89
Opcode Fuzzy Hash: 062da42ff1cba6d147bbb02191a2bb5e107edcb04785319e7e6eac55c1395bbb
Instruction Fuzzy Hash: 6BE09B327006086BCB406E5AAC5099FBB6EEFC9651F01452FF51597351DF718C1197E1

Function 064DC838 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 652061c45b35c3290f38a91e37e0878062bddcb50f4e1525fd56a9484f7c6242
Instruction ID: 4a88c78fcb5aec2a48694c2f380b7efb622b0003bde80174f2da06093ea5e0a7
Opcode Fuzzy Hash: 652061c45b35c3290f38a91e37e0878062bddcb50f4e1525fd56a9484f7c6242
Instruction Fuzzy Hash: 89E0DF32B442146FD3658A2F9C84F53B3DDEF89A32B24803BF509C7360D661EC00C6A0

Function 064D9957 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eec5a8b056196a66a90314af4a19b3244cf232b29820f1dfd0abbeb0853e0f0
Instruction ID: 67426b1dc754a550ea9066e5fa39c749e4c8cc6f2df613abc60db3d1675ceda6
Opcode Fuzzy Hash: 9eec5a8b056196a66a90314af4a19b3244cf232b29820f1dfd0abbeb0853e0f0
Instruction Fuzzy Hash: 93E09A6520E7D02FE35706285C257E62EA69BC7251F0A41D7E195CB693C5580D0687B2

Function 0650EF94 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5044b7016fa2c4153dea4b03c1f36b50b3e5a5b38da95840c87b037833fe9913
Instruction ID: 354997c1a8f65e551af0678d8d47e946dfe41187b1bdf6534460a092804e6fbd
Opcode Fuzzy Hash: 5044b7016fa2c4153dea4b03c1f36b50b3e5a5b38da95840c87b037833fe9913
Instruction Fuzzy Hash: 17F0A7353092508FD7811BB8F8591243B76FB853223144356E266CB3F5CA64C8468392

Function 01208790 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33c1e2c6408e8c47c6e0849275f6ebcef0ca4b28d343bc97d2537bd40588673
Instruction ID: f7fef1c84240d9f181bfdca6c47b6ac5097fe36dbf952186fea83029fd6ba880
Opcode Fuzzy Hash: b33c1e2c6408e8c47c6e0849275f6ebcef0ca4b28d343bc97d2537bd40588673
Instruction Fuzzy Hash: F4E092312102145BC3186B5EE489AEF7FAEEBC9365B80203CF10EC3282CF65584587A1

Function 0649D277 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c19fe00e1a7c6fd05c51b28e35088844d1838ad2e2b9c41bc0545123391becf
Instruction ID: f43f1ffcc047a96119e30a277626da99f2d58fbe6d5bae75ef2569ab7bc21f64
Opcode Fuzzy Hash: 4c19fe00e1a7c6fd05c51b28e35088844d1838ad2e2b9c41bc0545123391becf
Instruction Fuzzy Hash: 0DE092B4C012096E4748DFA898455FEBFF9EB88200F50856AD408E2700E33049018BE1

Function 01209728 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 084ac65da676ece2059f6e53e6f55fec9b87048b308ba55cbebdfa3bebf9da20
Instruction ID: a2627c9b66b3f7bcd45eed64e27b39dc76e1d8429c73ba82073d4675053632de
Opcode Fuzzy Hash: 084ac65da676ece2059f6e53e6f55fec9b87048b308ba55cbebdfa3bebf9da20
Instruction Fuzzy Hash: 6AF03A70512B098FD728EF66E509657BFF6FB88311700AA2EF44A83A54DF70A845CF84

Function 012096C3 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a93151fbc409262c6253ce6a5a643fa5439f50d96cbb69584efc56ca9cdc956
Instruction ID: 66af5ab48e634a5d078bad766b4f031e90205b816b7669d6d790ed960f5dabf7
Opcode Fuzzy Hash: 0a93151fbc409262c6253ce6a5a643fa5439f50d96cbb69584efc56ca9cdc956
Instruction Fuzzy Hash: 00F0A0311403544FC714AB2DE44971FBFE6DB81208F04542DE14687750CFA1A805C795

Function 06499578 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3762d19ddaaab0701bb237678df75b1118c3152cd4902521f5fd4bac4a7246
Instruction ID: ac7c6f78eb6f96829653f3442359091bee8253f7132964387926e55bccb9b4a0
Opcode Fuzzy Hash: 0c3762d19ddaaab0701bb237678df75b1118c3152cd4902521f5fd4bac4a7246
Instruction Fuzzy Hash: 5AE092343052808FC7558B28A9548C67FA1EF8D36A715809AF406CF325CA79DC42CB91

Function 064995C1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ad46f7502305540ed241d396b5ad69c04a59d495b846772bb2454c43e57433
Instruction ID: 35b98cf65a4f233fe942c932d773271ea414fe02597d8602c71bfc9aa70884c6
Opcode Fuzzy Hash: b1ad46f7502305540ed241d396b5ad69c04a59d495b846772bb2454c43e57433
Instruction Fuzzy Hash: 85F03030D0524CAFC745EFB8E8544AEFFB5EF46304F0081EAE545AB361DA341A18CB95

Function 064D3F90 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d74d7f769ba18ff9766012f36c16303cb90a5691a4c2313d7889f29964f4273c
Instruction ID: 3f0802af074420573150c94c5419fad5a38ae58d49be4cd6bec4689542370593
Opcode Fuzzy Hash: d74d7f769ba18ff9766012f36c16303cb90a5691a4c2313d7889f29964f4273c
Instruction Fuzzy Hash: B3E06D3160171D8FDB269E3AE8909A7B7F6FF41201704093EA08387B24CB71F844CB81

Function 012096C8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f11e016a15f5095216290fb5dc899aae2fbfaaafdef2055343b0354c8b76d29
Instruction ID: c3258bab93bfefd2f9f4934f08ef1d8978665ba9ee895902892a6468a9716ca3
Opcode Fuzzy Hash: 1f11e016a15f5095216290fb5dc899aae2fbfaaafdef2055343b0354c8b76d29
Instruction Fuzzy Hash: 2BE0ED302403688FC710AB2DE40971FBFEAEB82308F00582DE14687B50CFB2AC06CB91

Function 064915F8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8f5262acd4559bd63d343aa4f5a36323defc4dc3afceedf75e77b88c20a1d4
Instruction ID: b95dcca68f324b6c8aa78ce4361ab03de5196b47a6985b11ae3de4efde8d476b
Opcode Fuzzy Hash: 3e8f5262acd4559bd63d343aa4f5a36323defc4dc3afceedf75e77b88c20a1d4
Instruction Fuzzy Hash: 8BE086727041141BE7659569FC19BAB2E9A87C5261F08403AF10DCB380EEB19C02C7E5

Function 064D5358 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3dfbd4a96dd2fea8900fef1459c3cb947946f23c791da0410fbd3a3b9770c9
Instruction ID: 10146e22552f4c2fd83c9bbb3ec75241aebf3ee1a32a8a21c8292f7d74c20e35
Opcode Fuzzy Hash: fd3dfbd4a96dd2fea8900fef1459c3cb947946f23c791da0410fbd3a3b9770c9
Instruction Fuzzy Hash: 51E0D875A0A7048FD74A7B7CE82807DFBB69F8621170441AEEA06E7642EF7188508786

Function 01201858 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b291fb29f546692c4642c897bab996298dff55f6a0d7e12b14f6453b721f07fd
Instruction ID: 19d849101e98b430a50073c6d3c54ca445ce87361a4aed3ab3bb12b0b3052c32
Opcode Fuzzy Hash: b291fb29f546692c4642c897bab996298dff55f6a0d7e12b14f6453b721f07fd
Instruction Fuzzy Hash: D6E09270956348EFCB42DFB4D9405987BF5FF0721971044EAD004DB225E7311E05CB61

Function 064DFB88 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a377dde2b334b6c4123e43aad64d79babea07465762f2442d6b04c46ea06db1
Instruction ID: 7649ec1c8da7abc6f5735c6e8ae207b18b3923a64560ee10ce14d2729ff7c07c
Opcode Fuzzy Hash: 1a377dde2b334b6c4123e43aad64d79babea07465762f2442d6b04c46ea06db1
Instruction Fuzzy Hash: FAE02633E7026607D7B24298E0343B733CE8B84230F048073D10E8BBC1C5A9881947D4

Function 0650C790 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae057b042933ae81fb4c029745ff4673bf1ef5eff15c701e57012288fe2bb70
Instruction ID: 6a299c4feada37dfd9c268f6de9fbb1676a3da9e9529434d67c29d34b2a9479c
Opcode Fuzzy Hash: fae057b042933ae81fb4c029745ff4673bf1ef5eff15c701e57012288fe2bb70
Instruction Fuzzy Hash: EEE06D70E00218DFCB80EBB898092AE7FF4EB49210F104469D91AD7341E7358A41CBC0

Function 065035E0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae7820a150d62b426bd2367c7ad8a98f3a2f33c35b75027391df2cc8dc065723
Instruction ID: 4786a2e45ae647f05f13b04b22590ba7f323a491ccd8791f993657d7f4618a6e
Opcode Fuzzy Hash: ae7820a150d62b426bd2367c7ad8a98f3a2f33c35b75027391df2cc8dc065723
Instruction Fuzzy Hash: 41F01E71C002198FCB80EFB8D9002EEBBB8AF09200F10812AD919E7210E7309A548BC1

Function 06498B88 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d21bb4b133bd18b77d4310747fe4e631eb41bcf5bb2ab115629301282607c82
Instruction ID: ae0a050c5189dbe863ba377122931983e53ca42f7791cf8433ac7a466625eeec
Opcode Fuzzy Hash: 6d21bb4b133bd18b77d4310747fe4e631eb41bcf5bb2ab115629301282607c82
Instruction Fuzzy Hash: 09E086352497955FC3025B78E8214A5BFB9DE0651530441D7E995CB333CA61AC4487D5

Function 0650FF40 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3077f7a762a6ee689796316493db69e6fad1229bbea674d22822fe8f8db35b52
Instruction ID: ec19b30b845bf3d26b75c3592045757e09ba956736229c4e4760ae120cb290de
Opcode Fuzzy Hash: 3077f7a762a6ee689796316493db69e6fad1229bbea674d22822fe8f8db35b52
Instruction Fuzzy Hash: 64E0863165175006E77865689206353B7DCAB41768F04081EE94BC1450CBEEE488CB40

Function 0120FCB9 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea345f4d3f3ee1e6a139e4bd52ee8b1ddc1aa56c4b504384f1274ed8b09cf91
Instruction ID: 5ffed86b35b16b4ac93b61a78c1f54e13b3345ecc31b022cec93878baa4f74a1
Opcode Fuzzy Hash: fea345f4d3f3ee1e6a139e4bd52ee8b1ddc1aa56c4b504384f1274ed8b09cf91
Instruction Fuzzy Hash: F4E0CD327102049FC725DA78DD055867FA8DF0621174010A2E949D7261EA30DC00C792

Function 064D6268 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df31c265afe1111fc59ad4116804907b2a8bb63009a24000e240e8ac37a11f4
Instruction ID: cf09fa91389d103bf36f6cd18927cccff8cb359b0838648d582ce07c59938f10
Opcode Fuzzy Hash: 9df31c265afe1111fc59ad4116804907b2a8bb63009a24000e240e8ac37a11f4
Instruction Fuzzy Hash: 4EE08631F12A189BCB4A7B68E4344AE7BA6BF86612740512FE50793340DF60AA458BC5

Function 064DAEE0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72933ca01504c19788bd4bf34192bc602c9a3ab3c31e7da3e6df2d929dbba762
Instruction ID: 1e75845c38fefcc419471367be56bca11e9fa1b35c6b81f70e09c5ee1da59fc0
Opcode Fuzzy Hash: 72933ca01504c19788bd4bf34192bc602c9a3ab3c31e7da3e6df2d929dbba762
Instruction Fuzzy Hash: 0AE08631046758BFC7124B58DC10892BF6AEF1E75935440ADF6458A112C273D873DBD0

Function 01208738 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb078e1626ae48e3c654f0dc783a886175349e4e20c5d6d9d6049a934ec17ce
Instruction ID: f49945799fca919d7626e97737c15b35cc2491aa9ec43ce9dfb85a6df095d294
Opcode Fuzzy Hash: 5cb078e1626ae48e3c654f0dc783a886175349e4e20c5d6d9d6049a934ec17ce
Instruction Fuzzy Hash: 68E026363201148FC708AB58E52877F3BA6EBD02227061429F106DB380CF309D0A8B80

Function 064D5368 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abab0f5cdd516697cbac0478c5f9c1a988bd3a7cf7c097c1d275d607917464e0
Instruction ID: 4fb4c1dd40351a6124b69384614fe697f831e95d0f09fe532e3e7130cf533725
Opcode Fuzzy Hash: abab0f5cdd516697cbac0478c5f9c1a988bd3a7cf7c097c1d275d607917464e0
Instruction Fuzzy Hash: 63E08C35A02A148BDB093B7CE82807DB7B6AF86211704052DE506E3741EF6098408785

Function 064D53AA Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d144ab2f3f5f56bd537303488c7525f79f60ca2a4353f0526ee655645824771
Instruction ID: 72bfb066f52e691c95dea5c73799ce38718fc38f838626a58e269bb2d9e85174
Opcode Fuzzy Hash: 6d144ab2f3f5f56bd537303488c7525f79f60ca2a4353f0526ee655645824771
Instruction Fuzzy Hash: 6FE0CD30D1B7585FDB26562098147B77BB8DF41630F04149BE041C6541CFE46C4087D1

Function 064DAD88 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19d663d05e2d7a7390288aa6c822bcaff1d74b7567ec438b2fbd5fd6377c22d8
Instruction ID: c8a6314a86c212f6c8cd5ba0fe8fff5455aab851e046a84d1f77cf30d6d7cdc8
Opcode Fuzzy Hash: 19d663d05e2d7a7390288aa6c822bcaff1d74b7567ec438b2fbd5fd6377c22d8
Instruction Fuzzy Hash: 8FE0C224A4A2D82F8B926B797C508A67FFF4F4305830401ABE898C7247DD91DC8983B2

Function 01208748 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183efe0ff4e7075050d3bd619f28ad8dd3109f10be1fd51115d36a58d338fadd
Instruction ID: 229558683e9f8353d892deb41dfd39ce02da728a0768080fdb6f6540b723823d
Opcode Fuzzy Hash: 183efe0ff4e7075050d3bd619f28ad8dd3109f10be1fd51115d36a58d338fadd
Instruction Fuzzy Hash: D7D0C7313201288B8B08A768A8284BF3EAAEBC5621340202DF20683380CE2099428795

Function 064995D0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6092ef11bdcc73b97687a7507a09c5e64c60d1260254e85e648d01ee2f6df91c
Instruction ID: e1c232848e50ffaa5c30afd5aff22a8ae77cde8a59e6e85acf3f15bc92e97d56
Opcode Fuzzy Hash: 6092ef11bdcc73b97687a7507a09c5e64c60d1260254e85e648d01ee2f6df91c
Instruction Fuzzy Hash: 45E09A70D4420CAFCB44EFA8E55459DFFB5EB45304F0081AED519A7354DB745A48CF85

Function 06491B78 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17a173f4e92d2f279176767a680830945ae483263fdcaebc79c8b5e9163eaf4
Instruction ID: 6fae058427895656a88091588543d75e3d5a88390547ad6adc97118a4cd0cadc
Opcode Fuzzy Hash: f17a173f4e92d2f279176767a680830945ae483263fdcaebc79c8b5e9163eaf4
Instruction Fuzzy Hash: 7BE086322152109BD7152721E44A7957FA8EB05251F5C4996F801C7750DF7AF805CE90

Function 06491B88 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5719fd90cad7142edd36399a28e2dae53f76afb27cede063c7f6034b2b12d7ec
Instruction ID: 6d8e8f8c2e0c9b39d450243c61ff583636e29e2e74e42da3bfd20291cab43f3c
Opcode Fuzzy Hash: 5719fd90cad7142edd36399a28e2dae53f76afb27cede063c7f6034b2b12d7ec
Instruction Fuzzy Hash: C2D012322552249F87142BB5F449459BFA9DB452623080967F80AC7740DF7AE901CE90

Function 064DF9D8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3d18f5d81192f888d6575d0cd12a1f7b9d75bd9f5958e481900b819044b746
Instruction ID: 262314c018b62f99f79035856c887beb5c27acdde0c917a32755e5a305f89edb
Opcode Fuzzy Hash: cd3d18f5d81192f888d6575d0cd12a1f7b9d75bd9f5958e481900b819044b746
Instruction Fuzzy Hash: 6AD05B3700A7569FCB029715FD5E5A63F64D6521613044186B44687236D7544D0FEFE2

Function 06502110 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d457f95143a2c13549a880b3e3486c6b520dc8bcf70bef6978359ea4c4528c
Instruction ID: 5752e91bdd36d4ac0cd12761e514e15d96467e25a7eb33c3a65540703c4ec93b
Opcode Fuzzy Hash: f3d457f95143a2c13549a880b3e3486c6b520dc8bcf70bef6978359ea4c4528c
Instruction Fuzzy Hash: E4D05E39109AA09FC3169B29A81869B7F74DB9E12131996DAE1488B356C5368C83C7E0

Function 06508EC8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d6407c42e2a835575b47909691e182a59a0d755ab9477e49b3f5af5d51997ce
Instruction ID: faef798c22debf0743ca3522f2a0a46fdd237e11bfdef1cb93eb919fdd7b9c13
Opcode Fuzzy Hash: 0d6407c42e2a835575b47909691e182a59a0d755ab9477e49b3f5af5d51997ce
Instruction Fuzzy Hash: 82D02B3520A57067C31A6B64BC547CB2F25FB4B1903520143E04947256CB184C0A87F3

Function 0120B821 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966f1ab303e35a0512b076ddacb1c85f62f888067612190b4136115bb0eabe39
Instruction ID: 900a5f7935850417379698852c0ab4cc472912831ce0bd73b665192093a4a309
Opcode Fuzzy Hash: 966f1ab303e35a0512b076ddacb1c85f62f888067612190b4136115bb0eabe39
Instruction Fuzzy Hash: 3FE08C3A1142059BE341BB68F1C075A7762F380300F4012B9E082473DAEB329C8D87A0

Function 064994F8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa32da362fe1f4b7dd94171cda208f3953fe5d842ac441026a7a6639e9561a0
Instruction ID: 4c150136d9e920d5dda91770dd3fd8e86cdc8635ddcc03712639b554774e5942
Opcode Fuzzy Hash: 1fa32da362fe1f4b7dd94171cda208f3953fe5d842ac441026a7a6639e9561a0
Instruction Fuzzy Hash: 10E05B31905244BFC701DFE48C115BABBB9EBC3200B0545D6E945DF651E9319F14C7A7

Function 064D6BFA Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2248e5e5bd38296e25382b0a9f3bd1ba2a0e4d79a718867381ee4b084b4d017
Instruction ID: c46983b9317006cb54fe38825e2256e2b0859ab6bf5f817f82d78bad4fd6ea66
Opcode Fuzzy Hash: a2248e5e5bd38296e25382b0a9f3bd1ba2a0e4d79a718867381ee4b084b4d017
Instruction Fuzzy Hash: A4E0E539A00129CBDF509B44E894BADFB75FF44315F1480A6E549A7250CF315A99CF50

Function 06502550 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725910605.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6500000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c105d7461a11e3a1abbcf81f94a42671856f058186f22f001ed215cb84eab12c
Instruction ID: 4825a51b48d5f67a5cb2a5ba9359401d812e997f0a2269012ce3f39cdf33adff
Opcode Fuzzy Hash: c105d7461a11e3a1abbcf81f94a42671856f058186f22f001ed215cb84eab12c
Instruction Fuzzy Hash: 00D05E327101209F87049F1EE40486ABBEFEFC962132940ABE109C7322CA71EC03C7A0

Function 012097ED Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce29110b53f024ad7fb932862f5e5847ac1dbd2696e6eb54159417065a355547
Instruction ID: c4c706cbfde105dbf09cd92053d3f94c4507b8501f3f861b080308edabb34d2f
Opcode Fuzzy Hash: ce29110b53f024ad7fb932862f5e5847ac1dbd2696e6eb54159417065a355547
Instruction Fuzzy Hash: 22E086645141804FE713DB2CC459B467F90AB91304FCD81D9D1448B19BD728D90AD392

Function 0120C8D0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788eb6c2557aa3454f7296d2b1991fb401479271fc8fe3c5be5834f333bc520c
Instruction ID: 2c9f400ee2ef36be30f29283908e5f363b96c45d03b26b0784090aad8de11b06
Opcode Fuzzy Hash: 788eb6c2557aa3454f7296d2b1991fb401479271fc8fe3c5be5834f333bc520c
Instruction Fuzzy Hash: C1D05B3471031A57D704376CA8052A63FAAB7C5220F545127F50641500EF3448024784

Function 01209ED8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ff7e4481e8e9634073c0ffe2ffc36301a3d688a78d1d8a80b46c93eedf0d3c
Instruction ID: 65da82d40153726b66feaead1220d59212bc144402403b340ddbe23c9ee61018
Opcode Fuzzy Hash: a7ff7e4481e8e9634073c0ffe2ffc36301a3d688a78d1d8a80b46c93eedf0d3c
Instruction Fuzzy Hash: 7DE08C36100200ABDB61BF64E8817893B61FB4A210F1146A4E84A9B35ECBA49C4AC788

Function 064994C0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c66741b180cc3d6c951cd209dcff1455f0aae1b5b4f9771e8716f1877319c882
Instruction ID: 80bb667aa49c13be3ed48119fda19f4bd8eea4128cabc89d34137590bcd88822
Opcode Fuzzy Hash: c66741b180cc3d6c951cd209dcff1455f0aae1b5b4f9771e8716f1877319c882
Instruction Fuzzy Hash: 83E09274E05208AFCB44EFA9D44449DBBF5AB88200F0080AAD808E3300EA349A408F80

Function 0120AF38 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658ee807e7fcb7ddee063d281e7051f24a4d5afa55e16a5803a690d6914cd1e8
Instruction ID: 8a6010fb328c001d374675b81d93a2724ddd768be372847f199d7402b98e8093
Opcode Fuzzy Hash: 658ee807e7fcb7ddee063d281e7051f24a4d5afa55e16a5803a690d6914cd1e8
Instruction Fuzzy Hash: 04E086351002999FF745BF68F088B667BA0E341314F415268D2899B39BD7B09C8ECB45

Function 0649F7C0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ea6027e7dc87924e0797ba97ba739d05c18210a110f4d0801274ff8290a2eaf
Instruction ID: e3b0ef1346c0dbe0b383ad3c1cd1bf5b966259b66b510cca80cae4023e6ee4c8
Opcode Fuzzy Hash: 3ea6027e7dc87924e0797ba97ba739d05c18210a110f4d0801274ff8290a2eaf
Instruction Fuzzy Hash: 17D0A73826420CCBCB157FB4F049A177FA9EB813197845095E50D87754EF36DCC0DA50

Function 064D1380 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 653f8ed120f46f2f4c09ce0f1670a6390303785615d2b44fef5d7599ba552a8c
Instruction ID: f8d0a17c19f2db530ec372d659165c5801ce0c04a35f92d89f7a279c1b737399
Opcode Fuzzy Hash: 653f8ed120f46f2f4c09ce0f1670a6390303785615d2b44fef5d7599ba552a8c
Instruction Fuzzy Hash: B2E0E574D0024ACFEB60CF90C898BDEBBB1BB48300F20016AE805A3680CBB05A81CF90

Function 01201868 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5409a7f863b088cdc6fa307a989f791531518cae04c2977efe5c79a6dca52382
Instruction ID: bf75d84dc3e799720fd3a5deeb7b7fec6237de1e552dd05b7e22627dd1b0b76e
Opcode Fuzzy Hash: 5409a7f863b088cdc6fa307a989f791531518cae04c2977efe5c79a6dca52382
Instruction Fuzzy Hash: 70D05E70A0120CEFCB44EFB8EA8169DBBB9FB44204B5041A9E408E3308EB316F009B91

Function 01201F2C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3654c5039c8b50be4b7d12517dd44a9894be217f81afe2614231985b75d3135c
Instruction ID: ceaa3d540889e4da524dd58af386a2f074e54b46fd3b2061903f14b2f8e1e022
Opcode Fuzzy Hash: 3654c5039c8b50be4b7d12517dd44a9894be217f81afe2614231985b75d3135c
Instruction Fuzzy Hash: D7E08C3065130ADBEB269F50E11D7AD7F32AF11749F20052CE201AA1C2CBB4C964CB40

Function 0120FEA0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87071d2fd0450e08fd67c2c4a46158bda05f620e52f285f88ceacfdef2102e24
Instruction ID: 0b76874ad431f625de1850c2821a19bf4b3a81e9ac85e53aee29f1625f971bb3
Opcode Fuzzy Hash: 87071d2fd0450e08fd67c2c4a46158bda05f620e52f285f88ceacfdef2102e24
Instruction Fuzzy Hash: DDD012726542182B4719EEAD58615DFBFAEDA84170B0044AAD909D7241ED715A4082D9

Function 0649D288 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4632ef72024f0f543f2ec12095de24b1b200dd5286cb4e8cddaf5f682c0dd55
Instruction ID: b105cf9a8514af857af840b15b6b50a9c60159823061df49fecd3ffce3a581ab
Opcode Fuzzy Hash: c4632ef72024f0f543f2ec12095de24b1b200dd5286cb4e8cddaf5f682c0dd55
Instruction Fuzzy Hash: 72D017B4D0420D8F8B84EFB984812AEFFF5BB08214F2045AAC918E3300E7305A408BD2

Function 064DAD98 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d9a8db0927d461ec2187e923326b71d29c51179ec79b249e43c71786c95b28
Instruction ID: 7cf1195df0b7885e15a1e0826f966c7c857d77aadf7fc52d11ccea5904f269ec
Opcode Fuzzy Hash: 34d9a8db0927d461ec2187e923326b71d29c51179ec79b249e43c71786c95b28
Instruction Fuzzy Hash: 47D02231F812692B0BD1B66EB8404A3BBEF4F47011340417BEC08C3345EE20EC4843A1

Function 0120CF77 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715291365.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d79d583deee4f543718ea02154c1c2f41d86c2a976498c987e401e74a328ce
Instruction ID: 3a48f21b189dbe357cc4ae456536a9185c1c4ad1deddffc1c243a21e253faba6
Opcode Fuzzy Hash: 82d79d583deee4f543718ea02154c1c2f41d86c2a976498c987e401e74a328ce
Instruction Fuzzy Hash: AAD0121912470D66F74067DA6C067267F28F352711F54626BFE0850541AF36981183A5

Function 06498B98 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c35bd1ffaf9c271dafaf3f30c8e8bb3f5ae5ff505a92cd83f23e9f1d7b7567a
Instruction ID: cb1c00cd2b6f54c7cdadc3b688dc825baa0ef18b85ca704aa008f32300d2c478
Opcode Fuzzy Hash: 9c35bd1ffaf9c271dafaf3f30c8e8bb3f5ae5ff505a92cd83f23e9f1d7b7567a
Instruction Fuzzy Hash: 35D0C931290A288FC705AB6CE454899B7E9EF4966531041AAFA16CB335DBA1AD008BC8

Function 064DAEF0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce04e2702d95081bfb67e74ac58b88d4faa7fc2e5d0e8f1aebb18ba1c6bbeafe
Instruction ID: 416e55df46e2bdc0c59145ab08ff6feb959ec2f7aec3497b57a098fbd43d2e7d
Opcode Fuzzy Hash: ce04e2702d95081bfb67e74ac58b88d4faa7fc2e5d0e8f1aebb18ba1c6bbeafe
Instruction Fuzzy Hash: 24D09E36101218FBCB065B94D800895BF6AEF1D75971440A9E6095A221C773D472DBD4

Function 0649874F Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a9c863e790f19bce569b433186552f0aa490f37359b15fe5def3343022216a
Instruction ID: 0d72f9159f3c353909b6453c9a4113cd4c5aaac158df52caae22d79669192d37
Opcode Fuzzy Hash: d6a9c863e790f19bce569b433186552f0aa490f37359b15fe5def3343022216a
Instruction Fuzzy Hash: 34D05B31459788CFC711BB64E81455D3F74BB16305F44425EE4459F151FB605555C741

Function 06498720 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ca56151d8a4125a33de15b1e849d0c0817ac2313b03dd092981b2cf27ffecf8
Instruction ID: a0e505bd10900d41099c9aa70287a56461de5303ceb15b7a95d70b95ee857105
Opcode Fuzzy Hash: 4ca56151d8a4125a33de15b1e849d0c0817ac2313b03dd092981b2cf27ffecf8
Instruction Fuzzy Hash: B8D02E30900A88CEC300BB38E814A2C3F24AB06202F00D319E0A41A551EB20848ACB42

Function 06491AA0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d155f22a2337238c7bfd4b791198143ce458b3e459fc7333913bfee4c55ec1
Instruction ID: 6b2f74913f5b9b88a1092557ff21a3e83254518763ffeea93f13933a17bfad83
Opcode Fuzzy Hash: e6d155f22a2337238c7bfd4b791198143ce458b3e459fc7333913bfee4c55ec1
Instruction Fuzzy Hash: AEC08C303905485FDA401BA0780973B3BCCC780212F480421F00DC7340DE14B8009560

Function 064D5741 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5415618717bab3b9be62a30157f58bbee7aacaedcb94c6c4efce91bd4d1ea5a
Instruction ID: e981501af24c6c74323b05f087f730dca6303e713e4c796234d187d78da4955d
Opcode Fuzzy Hash: a5415618717bab3b9be62a30157f58bbee7aacaedcb94c6c4efce91bd4d1ea5a
Instruction Fuzzy Hash: 0BC012381062909FC7069B2058504967B227B53246305C09AD0428E25285294805DB71

Function 064D63D1 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 921fb72af63864c9aaebe1818f12a88fec8fbdfbc3dec4c8a97364b5c8c70d9c
Instruction ID: ea8967885001cb0dbb66d34d725e382d380f42b443d51ef0796dc1c7f6d25ae7
Opcode Fuzzy Hash: 921fb72af63864c9aaebe1818f12a88fec8fbdfbc3dec4c8a97364b5c8c70d9c
Instruction Fuzzy Hash: 0DD0A930508701AEC709BBB8C820018BB72BFD2300B408AABE4891A220FA318858D762

Function 06491A90 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6022b2f1f1b7caccf4c97068e64236ce6a47a19e126e44c57b31b8864e6233d
Instruction ID: 3739a21efba5a8ec73268f1e04a72623c9bc9d6c4eb669c1942fb59bafd57e09
Opcode Fuzzy Hash: b6022b2f1f1b7caccf4c97068e64236ce6a47a19e126e44c57b31b8864e6233d
Instruction Fuzzy Hash: BFD012316542D59FD70107A4651862A3F55EB41313B0D099BF446CB3D1DE14AC489761

Function 06498760 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f45d2d549c302a9ec70498127bd2da57a7c1bf1c306afc1389f708ef38f313
Instruction ID: 99aa976b8f03fc0b76f0f92f5e853ea320e33d203b1138e531cbb841b5d01b16
Opcode Fuzzy Hash: f0f45d2d549c302a9ec70498127bd2da57a7c1bf1c306afc1389f708ef38f313
Instruction Fuzzy Hash: ADC0123285060DCFC700BAA8E40489CBFB8BB29300B00822AE4456A200FB20A1A9CB91

Function 06498730 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725486484.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6490000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4b0d7154a523d9e588955d5b3551e9501c773f809fbfccb90289a24ce111bf
Instruction ID: c0d9a2b62299ce79df1e958ccfaff4d49111ef701f34ee1b190d0215e3d36063
Opcode Fuzzy Hash: ec4b0d7154a523d9e588955d5b3551e9501c773f809fbfccb90289a24ce111bf
Instruction Fuzzy Hash: 1DC0123141060CCFC700BA68D40485CBF78AB15200B409129E44516111EB30A599CB91

Function 064D46F8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1725710329.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce1ad3aa8cbd993ce2f99d9ff82eacf0c4310d1e820b40342bb1b88222f6895
Instruction ID: d6507cdddf798a37fd52bce261d1b9fde2acf9978caf41f87d5c58b6de2125bb
Opcode Fuzzy Hash: cce1ad3aa8cbd993ce2f99d9ff82eacf0c4310d1e820b40342bb1b88222f6895
Instruction Fuzzy Hash: 4FC08C24B2C24847CF09AFA4E8243733FE1A783B08B417094E0E183684CB305440DA61

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8bZMO28ywp.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8bZMO28ywp.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

C:\Users\user\AppData\Roaming\d3d9.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
8bZMO28ywp.exe

Function 6CE686E0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 292
libraryloaderCOMMON

Function 014B0E46 Relevance: 2.7, Strings: 2, Instructions: 246
COMMON

Function 014B0D74 Relevance: 2.7, Strings: 2, Instructions: 242
COMMON

Function 014B0ADD Relevance: 2.7, Strings: 2, Instructions: 240
COMMON

Function 014B0ACD Relevance: 2.7, Strings: 2, Instructions: 237
COMMON

Function 014B08DF Relevance: 2.7, Strings: 2, Instructions: 232
COMMON

Function 014B0969 Relevance: 2.7, Strings: 2, Instructions: 230
COMMON

Function 014B0AB4 Relevance: 2.7, Strings: 2, Instructions: 230
COMMON

Function 014B0D17 Relevance: 2.7, Strings: 2, Instructions: 230
COMMON

Function 014B0C04 Relevance: 2.7, Strings: 2, Instructions: 226
COMMON

Function 014B09C6 Relevance: 2.7, Strings: 2, Instructions: 224
COMMON

Function 6CE77EE8 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Function 6CE77F98 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre