Edit tour

Windows Analysis Report
L814CyOxMT.exe

Overview

General Information

Sample name:	L814CyOxMT.exe
Analysis ID:	1550367
MD5:	27e03cf0e06e2536b8bac6914d4c4cb5
SHA1:	535b3de99526f6957a13f1225ec60b1c17599383
SHA256:	9460f252a78ee97283975e9aa8aa6292b1674c7fe632914b3e09bdb3af56078e
Infos:

Detection

Flesh Stealer, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Yara detected Flesh Stealer

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Creates HTML files with .exe extension (expired dropper behavior)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64native

L814CyOxMT.exe (PID: 6424 cmdline: "C:\Users\user\Desktop\L814CyOxMT.exe" MD5: 27E03CF0E06E2536B8BAC6914D4C4CB5)

MSBuild.exe (PID: 2752 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cmd.exe (PID: 8180 cmdline: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

chcp.com (PID: 5332 cmdline: chcp 65001 MD5: 41146159AA3D41A92B53ED311EE15693)

netsh.exe (PID: 7332 cmdline: netsh wlan show profiles MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

findstr.exe (PID: 6100 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
L814CyOxMT.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
L814CyOxMT.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
L814CyOxMT.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
L814CyOxMT.exe	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x233ff5:$s1: file:/// 0x233ee1:$s2: {11111-22222-10009-11112} 0x233f85:$s3: {11111-22222-50001-00000} 0x22aec8:$s4: get_Module 0x22ad57:$s5: Reverse 0x233085:$s6: BlockCopy 0x233780:$s7: ReadByte 0x234007:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.886810697587.0000000003045000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000002.00000002.887052638593.0000000004DB3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FleshStealer	Yara detected Flesh Stealer	Joe Security
00000002.00000002.887045237055.00000000033BE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FleshStealer	Yara detected Flesh Stealer	Joe Security
00000000.00000000.886802463927.0000000000892000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000000.886802463927.0000000000892000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.887052638593.0000000004F89000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FleshStealer	Yara detected Flesh Stealer	Joe Security
Process Memory Space: L814CyOxMT.exe PID: 6424	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: MSBuild.exe PID: 2752	JoeSecurity_FleshStealer	Yara detected Flesh Stealer	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.L814CyOxMT.exe.890000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.L814CyOxMT.exe.890000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.0.L814CyOxMT.exe.890000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.L814CyOxMT.exe.890000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x233ff5:$s1: file:/// 0x233ee1:$s2: {11111-22222-10009-11112} 0x233f85:$s3: {11111-22222-50001-00000} 0x22aec8:$s4: get_Module 0x22ad57:$s5: Reverse 0x233085:$s6: BlockCopy 0x233780:$s7: ReadByte 0x234007:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

Sigma Signatures

System Summary

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 142.250.81.238, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 2752, Protocol: tcp, SourceIp: 192.168.11.30, SourceIsIpv6: false, SourcePort: 49870

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, CommandLine: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentProcessId: 2752, ParentProcessName: MSBuild.exe, ProcessCommandLine: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, ProcessId: 8180, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: L814CyOxMT.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: L814CyOxMT.exe

ReversingLabs: Detection: 44%

Machine Learning detection for sample

Source: L814CyOxMT.exe

Joe Sandbox ML: detected

Source: L814CyOxMT.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.250.81.238:443 -> 192.168.11.30:49870 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.40.132:443 -> 192.168.11.30:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.28.10:443 -> 192.168.11.30:49873 version: TLS 1.2

Source: L814CyOxMT.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: q<costura.costura.pdb.compressed source: L814CyOxMT.exe, 00000000.00000002.886810697587.0000000003045000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed@\ source: L814CyOxMT.exe, 00000000.00000002.886810697587.0000000003045000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed source: L814CyOxMT.exe
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: L814CyOxMT.exe

Networking

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: downloadedFile.exe.2.dr

Source: global traffic

TCP traffic: 192.168.11.30:49876 -> 89.23.100.233:9929

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 104.16.185.241 104.16.185.241

Source: Joe Sandbox View	JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: icanhazip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: google.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: 13.169.14.0.in-addr.arpa

Source: MSBuild.exe, 00000002.00000002.887052638593.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000005134000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004D87000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004422000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004252000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.000000000476A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/r1.crl0
Source: MSBuild.exe, 00000002.00000002.887052638593.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000005134000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004D87000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004422000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004252000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.000000000476A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: MSBuild.exe, 00000002.00000002.887052638593.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000005134000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004D87000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004422000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004252000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.000000000476A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: MSBuild.exe, 00000002.00000002.887043771614.00000000014BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: MSBuild.exe, 00000002.00000002.887043771614.00000000014BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: MSBuild.exe, 00000002.00000002.887052638593.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000005134000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004D87000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004422000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004252000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.000000000476A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: MSBuild.exe, 00000002.00000002.887052638593.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000005134000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004D87000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004422000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004252000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.000000000476A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: MSBuild.exe, 00000002.00000002.887052638593.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000005134000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004D87000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004422000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004252000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.000000000476A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: MSBuild.exe, 00000002.00000002.887052638593.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000005134000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004D87000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004422000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004252000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.000000000476A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: MSBuild.exe, 00000002.00000002.887052638593.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000005134000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004D87000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004422000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004252000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.000000000476A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: MSBuild.exe, 00000002.00000002.887052638593.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000005134000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004D87000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004422000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004252000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.000000000476A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/r1.crt0
Source: MSBuild.exe, 00000002.00000002.887045237055.000000000339B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com
Source: MSBuild.exe, 00000002.00000002.887045237055.000000000339B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com/
Source: MSBuild.exe, 00000002.00000002.887045237055.000000000339B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.comd
Source: MSBuild.exe, 00000002.00000002.887052638593.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000005134000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004D87000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004422000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004252000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.000000000476A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: MSBuild.exe, 00000002.00000002.887052638593.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000005134000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004D87000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004422000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004252000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.000000000476A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: downloadedFile.exe.2.dr	String found in binary or memory: http://schema.org/WebPage
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: L814CyOxMT.exe, 00000000.00000002.886810697587.0000000003045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://timestamp.digicert.com;http://timestamp.globalsign.com/?signature=sha2;http://sha256timestamp
Source: L814CyOxMT.exe, 00000000.00000002.886810697587.0000000003045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://timestamp.digicert.com;http://timestamp.globalsign.com/scripts/timstamp.dll;http://timestamp.
Source: MSBuild.exe, 00000002.00000002.887052638593.000000000476A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: MSBuild.exe, 00000002.00000002.887052638593.000000000476A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: MSBuild.exe, 00000002.00000002.887052638593.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: downloadedFile.exe.2.dr	String found in binary or memory: https://apis.google.com
Source: MSBuild.exe, 00000002.00000002.887052638593.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/J
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/J
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/J
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: MSBuild.exe, 00000002.00000002.887052638593.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: MSBuild.exe, 00000002.00000002.887052638593.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSBuild.exe, 00000002.00000002.887052638593.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MSBuild.exe, 00000002.00000002.887052638593.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: downloadedFile.exe.2.dr	String found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: downloadedFile.exe.2.dr	String found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/J
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: tmp6926.tmp.dat.2.dr	String found in binary or memory: https://support.mozilla.org
Source: tmp6926.tmp.dat.2.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmp6926.tmp.dat.2.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.nDpqIaYUvbc2
Source: MSBuild.exe, 00000002.00000002.887045237055.000000000339B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/FleshStealer
Source: MSBuild.exe, 00000002.00000002.887045237055.000000000339B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/FleshStealert-
Source: MSBuild.exe, 00000002.00000002.887052638593.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
Source: MSBuild.exe, 00000002.00000002.887052638593.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MSBuild.exe, 00000002.00000002.887052638593.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: MSBuild.exe, 00000002.00000002.887052638593.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/favicon.ico
Source: downloadedFile.exe.2.dr	String found in binary or memory: https://www.gstatic.com
Source: tmp6926.tmp.dat.2.dr	String found in binary or memory: https://www.mozilla.org
Source: tmp6926.tmp.dat.2.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.KjXOcg0MwWUa
Source: tmp6926.tmp.dat.2.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.v0Tuu-6tuqZF
Source: tmp6926.tmp.dat.2.dr	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/127.0/whatsnew/?oldversion=116.0.3&utm_medium=firefox-desktop&
Source: tmp6926.tmp.dat.2.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmp6926.tmp.dat.2.dr	String found in binary or memory: https://www.mozilla.org/firefox/127.0/whatsnew/?oldversion=116.0.3&utm_medium=firefox-desktop&utm_so
Source: tmp6926.tmp.dat.2.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: tmp6926.tmp.dat.2.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: tmp6926.tmp.dat.2.dr	String found in binary or memory: https://www.mozilla.org/media/protocol/img/logos/firefox/browser/og.4ad05d4125a5.png
Source: tmp6926.tmp.dat.2.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J
Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443

Source: unknown	HTTPS traffic detected: 142.250.81.238:443 -> 192.168.11.30:49870 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.40.132:443 -> 192.168.11.30:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.28.10:443 -> 192.168.11.30:49873 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: L814CyOxMT.exe, type: SAMPLE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.L814CyOxMT.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: L814CyOxMT.exe, vC2G8SBgZeSV3J31nP.cs

Large array initialization: vC2G8SBgZeSV3J31nP: array initializer size 140816

Source: C:\Users\user\Desktop\L814CyOxMT.exe	Code function: 0_2_013F9338	0_2_013F9338
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Code function: 0_2_013F4290	0_2_013F4290
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Code function: 0_2_013F79CC	0_2_013F79CC
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Code function: 0_2_013FCF00	0_2_013FCF00
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Code function: 0_2_013F4280	0_2_013F4280
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Code function: 0_2_013F09A0	0_2_013F09A0
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Code function: 0_2_013F0990	0_2_013F0990
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Code function: 0_2_013FCEF0	0_2_013FCEF0
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Code function: 0_2_05538638	0_2_05538638
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Code function: 0_2_05538628	0_2_05538628
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Code function: 0_2_055399F8	0_2_055399F8
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Code function: 0_2_05539A08	0_2_05539A08
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Code function: 0_2_057B0040	0_2_057B0040
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Code function: 0_2_057B0007	0_2_057B0007
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Code function: 0_2_057BEB60	0_2_057BEB60
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Code function: 0_2_057BEB50	0_2_057BEB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_02FA52D8	2_2_02FA52D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_02FA4A08	2_2_02FA4A08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_02FA46C0	2_2_02FA46C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_02FA5E00	2_2_02FA5E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_02FA5DD0	2_2_02FA5DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_06AA5650	2_2_06AA5650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_06AA8610	2_2_06AA8610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_06AA1388	2_2_06AA1388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_06AA136F	2_2_06AA136F

Source: L814CyOxMT.exe, 00000000.00000002.886810697587.0000000003045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStub.exe* vs L814CyOxMT.exe
Source: L814CyOxMT.exe, 00000000.00000002.886810697587.0000000003045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStealer.exe" vs L814CyOxMT.exe
Source: L814CyOxMT.exe, 00000000.00000002.886809267242.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs L814CyOxMT.exe
Source: L814CyOxMT.exe, 00000000.00000000.886803090789.0000000000AE4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStub.exe* vs L814CyOxMT.exe
Source: L814CyOxMT.exe, 00000000.00000002.886811217197.0000000004009000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStealer.exe" vs L814CyOxMT.exe
Source: L814CyOxMT.exe	Binary or memory string: OriginalFilenameStub.exe* vs L814CyOxMT.exe

Source: L814CyOxMT.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: L814CyOxMT.exe, type: SAMPLE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.L814CyOxMT.exe.890000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: L814CyOxMT.exe, hFmnwo53WNRHDu8S5dR.cs	Cryptographic APIs: 'CreateDecryptor'
Source: L814CyOxMT.exe, hFmnwo53WNRHDu8S5dR.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.L814CyOxMT.exe.402bb80.0.raw.unpack, jtZESmvCzFDQAhIBrzI.cs	Base64 encoded string: 'X1x8V0FSTklORzotRE8tTk9ULVNIQVJFLVRISVMuLS1TaGFyaW5nLXRoaXMtd2lsbC1hbGxvdy1zb21lb25lLXRvLWxvZy1pbi1hcy15b3UtYW5kLXRvLXN0ZWFsLXlvdXItUk9CVVgtYW5kLWl0ZW1zXC5cfF9bQS1aMC05XSs=', 'U09GVFdBUkVcUm9ibG94XFJvYmxveFN0dWRpb0Jyb3dzZXJccm9ibG94LmNvbQ==', 'U09GVFdBUkVcUm9ibG94XFJvYmxveFN0dWRpb0Jyb3dzZXJccm9ibG94LmNvbQ=='
Source: 0.2.L814CyOxMT.exe.402bb80.0.raw.unpack, LZKaFKIbgVRXpAKmWtCJbtPzc.cs	Base64 encoded string: 'XihbYS16QS1aMC05X1wtXC5dKylAKFthLXpBLVowLTlfXC1cLl0rKVwuKFthLXpBLVpdezIsNX0pJA==', 'Xig/ITpcL1wvKShbYS16QS1aMC05LV9dK1wuKSpbYS16QS1aMC05XVthLXpBLVowLTktX10rXC5bYS16QS1aXXsyLDExfT8k', 'U29mdHdhcmVcTWljcm9zb2Z0XE9mZmljZVwxNS4wXE91dGxvb2tcUHJvZmlsZXNcT3V0bG9va1w5Mzc1Q0ZGMDQxMzExMWQzQjg4QTAwMTA0QjJBNjY3Ng==', 'U29mdHdhcmVcTWljcm9zb2Z0XE9mZmljZVwxNi4wXE91dGxvb2tcUHJvZmlsZXNcT3V0bG9va1w5Mzc1Q0ZGMDQxMzExMWQzQjg4QTAwMTA0QjJBNjY3Ng==', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2luZG93cyBNZXNzYWdpbmcgU3Vic3lzdGVtXFByb2ZpbGVzXE91dGxvb2tcOTM3NUNGRjA0MTMxMTFkM0I4OEEwMDEwNEIyQTY2NzY=', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTWVzc2FnaW5nIFN1YnN5c3RlbVxQcm9maWxlc1w5Mzc1Q0ZGMDQxMzExMWQzQjg4QTAwMTA0QjJBNjY3Ng=='
Source: 0.2.L814CyOxMT.exe.402bb80.0.raw.unpack, kBSsDNHWhOdBUr.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb24='
Source: 0.2.L814CyOxMT.exe.402bb80.0.raw.unpack, FvEjVqqzSw.cs	Base64 encoded string: 'L2Mgc3RhcnQgL2IgcG93ZXJzaGVsbCDigJNFeGVjdXRpb25Qb2xpY3kgQnlwYXNzIFN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICci', 'U29mdHdhcmVcQ2xhc3Nlc1xtcy1zZXR0aW5nc1xTaGVsbFxPcGVuXGNvbW1hbmQ='
Source: 0.2.L814CyOxMT.exe.402bb80.0.raw.unpack, wbFVXnbgKqsUTCdn.cs	Base64 encoded string: 'QUNnYktLOG8veWpmS084b1Z5ajJLRElvUVNpQUtFQW9KQ2dzS0E4b0pTZ2tLQUFvUUNocEtKSW96aWk5S1A4byt5Z3ZLQjRvQVNnZ0FBPT0=', 'QUNnQUtBQW9BQ2lKS0Iwb0V5aTdLT1FvZUNnaktFQW9BQ2dBS0FBb0FDZ0FLQ0FvR2lqMEtING9YeWdKS0NNb1FDZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW80Q2p6S01Zb0ZDZ0pLQThvL3loRUtMRW81Q2lFS01Bb3BDajBLRWNvOENoZktLa29BU2dnS0hRb2Z5aEVLQUFvQUNnZ0FBPT0=', 'QUNnQUtLQW9BU2lBS0E0b0FDZ0FLQmdvL0NoL0tEc29HU2pOS01Bb1BDZzVLRjhvL3lqRUtNTW9BQ2dBS0Jnb1JDZ0lLRVFvQUNnZ0FBPT0=', 'QUNnQUtBY29nQ2pzS1BZbzdDaHJLSXNvZkNpM0tGY29nQ2lYS0Frb0p5aEFLTW9vdUNqbktORW85Q2p0S1BRbzlDaEVLRGdvQUNnZ0FBPT0=', 'QUNpNEtBQW9DQ2dKS0Jzb055aitLUDhveHlqdktPY295eWlKS0gwb0RTaVpLUDBvemlqL0tQOG9KeWdmS0Fzb0FTaEdLQUFvUkNnZ0FBPT0=', 'QUNpNEtJQW9RQ2dBS0lBb1lDZ1lLSWtvZnlqL0tQOG8veWhXS0FFb3NDai9LUDhvL3lqL0tFZ29FU2dpS01Bb0FDam5LRUFvUnlnZ0FBPT0=', 'QUNnWUtFNG9EeWdXS0JNb0VpZ1NLRG9vL3loSUtMY29neWdCS0FBb0RpZzhLSDRveVNqL0tBY29BQ2dBS0Fnb2dTZ0pLS3NvQUNnZ0FBPT0=', 'QUNnQUtLRW9BQ2dRS0VBb0FDZ0FLQUFvT1NqL0tPNG9JaWhIS0FBb3VDZ1FLUFVvdnlnTEtBQW9BQ2dBS0FBb0JpZ0FLRXdvQUNnZ0FBPT0=', 'QUNnQUtBQW9veWdBS0Fnb2hDZ0FLQUFvQUNnSUtCa29SeWhHS0JBb3VDaTRLQXNvQVNnQUtBQW9BQ2dBS0Fvb0FDaGNLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dSS01Rb0FDZ1JLSVFvUUNnQUtBQW8veWptS09RbzlDaitLQUFvQUNnQUtFQW9FQ2dCS09Bb0NpZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dBS0Fnb0VpaWtLSDhvQ0NnUUtBQW9OQ2l0S1A4bzdTZ3VLQUFvRWlncEtQNG9aQ2dhS0FFb0FDZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dBS0FBb0FDZ0FLQWdvRUNnQUtDUW9BQ2lJS1BZb1dDZ0FLQ1FvRkNnQ0tBRW9BQ2dBS0FBb0FDZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dBS0FBb0FDZ0FLQUFvQUNnQUtBQW9BQ2dBS0Jrb0FDZ0FLQUFvQUNnQUtBQW9BQ2dBS0FBb0FDZ0FLQUFvQUNnZ0FDQUE=', 'WEhSVVpXeGxaM0poYlRvZ2FIUjBjSE02THk5MExtMWxMMFpzWlhOb1UzUmxZV3hsY2c9PQ==', 'Q1FBSkFEM1lzOXdnQUVNQWNnQmxBR1FBYVFCMEFFTUFZUUJ5QUdRQWN3QTZBQ0FB', 'Q1FBSkFEM1lGdDBnQUVJQWJ3QnZBR3NBYlFCaEFISUFhd0J6QURvQUlBQT0=', 'Q1FBSkFEM1k1dHdnQUVRQWJ3QjNBRzRBYkFCdkFHRUFaQUJ6QURvQUlBQT0=', 'Q1FBSkFEellxTjhnQUZJQVpRQnpBSFFBYndCeUFHVUFWQUJ2QUdzQVpRQnVBSE1BT2dBZ0FBPT0=', 'Q1FBSkFEN1l5dDBnQUZjQVlRQnNBR3dBWlFCMEFITUFPZ0FnQUE9PQ==', 'Q1FCRUp3LytJQUJYQUdFQWJBQnNBR1VBZEFCekFDQUFRUUJ3QUhBQU9nQWdBQT09', 'Q1FBKzJLTGRJQUJRQUdrQVpBQm5BR2tBYmdBZ0FFRUFjQUJ3QURvQUlBQT0=', 'Q1FBOTJIN2NJQUJFQUdrQWN3QmpBRzhBY2dCa0FDQUFWQUJ2QUdzQVpRQnVBSE1BT2dBZ0FBPT0=', 'Q1FBSUp3LytJQUJVQUdVQWJBQmxBR2NBY2dCaEFHMEFJQUJ6QUdVQWN3QnpBR2tBYndCdUFITUE=', 'Q1FBQkpnLytJQUJUQUdzQWVRQndBR1VBSUFCekFHVUFjd0J6QUdrQWJ3QnVBQT09', 'Q1FBOTJIN2NJQUJFQUdrQWN3QmpBRzhBY2dCa0FDQUFkQUJ2QUdzQVpRQnVBQT09', 'Q1FBOTJLM2NJQUJUQUdrQVp3QnVBR0VBYkFBZ0FITUFaUUJ6QUhNQWFRQnZBRzRB', 'Q1FBODJLN2ZJQUJUQUhRQVpRQmhBRzBBSUFCekFHVUFjd0J6QUdrQWJ3QnVBQT09', 'Q1FBODJLN2ZJQUJWQUhBQWJBQmhBSGtBSUFCekFHVUFjd0J6QUdrQWJ3QnVBQT09', 'Q1FDWkpnLytJQUJRQUhJQWJ3QmpBR1VBY3dCekFHVUFjd0E2QUNBQQ=='
Source: 0.2.L814CyOxMT.exe.402bb80.0.raw.unpack, NjyaIBfIPSuBSQzciPqBOz.cs	Base64 encoded string: 'U0VMRUNUIEV4ZWN1dGFibGVQYXRoLCBQcm9jZXNzSUQgRlJPTSBXaW4zMl9Qcm9jZXNz'
Source: 0.2.L814CyOxMT.exe.402bb80.0.raw.unpack, WhDYSQjWqXwEvSjwPTd.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs', 'U09GVFdBUkVcV293NjQzMk5vZGVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWw=', 'TmFtZQlWZXJzaW9uCUluc3RhbGxEYXRlCVB1Ymxpc2hlcglJbnN0YWxsTG9jYXRpb24JVW5pbnN0YWxsQ29tbWFuZA=='
Source: 0.2.L814CyOxMT.exe.402bb80.0.raw.unpack, ObPglGeVfetPDqezDE.cs	Base64 encoded string: 'SEFSRFdBUkVcRGVzY3JpcHRpb25cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==', 'Tm8gbmV0d29yayBhZGFwdGVycyB3aXRoIGFuIElQdjQgYWRkcmVzcyBpbiB0aGUgc3lzdGVtIQ=='
Source: 0.2.L814CyOxMT.exe.402bb80.0.raw.unpack, qkZCFIqLhHpgulddqXURmcgNM.cs	Base64 encoded string: 'L0MgY2hjcCA2NTAwMSAmJiBuZXRzaCB3bGFuIHNob3cgcHJvZmlsZXMgfCBmaW5kc3RyIEFsbA==', 'L0MgY2hjcCA2NTAwMSAmJiBuZXRzaCB3bGFuIHNob3cgcHJvZmlsZSBuYW1lPSI='
Source: 0.2.L814CyOxMT.exe.40707d0.1.raw.unpack, jtZESmvCzFDQAhIBrzI.cs	Base64 encoded string: 'X1x8V0FSTklORzotRE8tTk9ULVNIQVJFLVRISVMuLS1TaGFyaW5nLXRoaXMtd2lsbC1hbGxvdy1zb21lb25lLXRvLWxvZy1pbi1hcy15b3UtYW5kLXRvLXN0ZWFsLXlvdXItUk9CVVgtYW5kLWl0ZW1zXC5cfF9bQS1aMC05XSs=', 'U09GVFdBUkVcUm9ibG94XFJvYmxveFN0dWRpb0Jyb3dzZXJccm9ibG94LmNvbQ==', 'U09GVFdBUkVcUm9ibG94XFJvYmxveFN0dWRpb0Jyb3dzZXJccm9ibG94LmNvbQ=='
Source: 0.2.L814CyOxMT.exe.40707d0.1.raw.unpack, LZKaFKIbgVRXpAKmWtCJbtPzc.cs	Base64 encoded string: 'XihbYS16QS1aMC05X1wtXC5dKylAKFthLXpBLVowLTlfXC1cLl0rKVwuKFthLXpBLVpdezIsNX0pJA==', 'Xig/ITpcL1wvKShbYS16QS1aMC05LV9dK1wuKSpbYS16QS1aMC05XVthLXpBLVowLTktX10rXC5bYS16QS1aXXsyLDExfT8k', 'U29mdHdhcmVcTWljcm9zb2Z0XE9mZmljZVwxNS4wXE91dGxvb2tcUHJvZmlsZXNcT3V0bG9va1w5Mzc1Q0ZGMDQxMzExMWQzQjg4QTAwMTA0QjJBNjY3Ng==', 'U29mdHdhcmVcTWljcm9zb2Z0XE9mZmljZVwxNi4wXE91dGxvb2tcUHJvZmlsZXNcT3V0bG9va1w5Mzc1Q0ZGMDQxMzExMWQzQjg4QTAwMTA0QjJBNjY3Ng==', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2luZG93cyBNZXNzYWdpbmcgU3Vic3lzdGVtXFByb2ZpbGVzXE91dGxvb2tcOTM3NUNGRjA0MTMxMTFkM0I4OEEwMDEwNEIyQTY2NzY=', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTWVzc2FnaW5nIFN1YnN5c3RlbVxQcm9maWxlc1w5Mzc1Q0ZGMDQxMzExMWQzQjg4QTAwMTA0QjJBNjY3Ng=='
Source: 0.2.L814CyOxMT.exe.40707d0.1.raw.unpack, kBSsDNHWhOdBUr.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb24='
Source: 0.2.L814CyOxMT.exe.40707d0.1.raw.unpack, FvEjVqqzSw.cs	Base64 encoded string: 'L2Mgc3RhcnQgL2IgcG93ZXJzaGVsbCDigJNFeGVjdXRpb25Qb2xpY3kgQnlwYXNzIFN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICci', 'U29mdHdhcmVcQ2xhc3Nlc1xtcy1zZXR0aW5nc1xTaGVsbFxPcGVuXGNvbW1hbmQ='
Source: 0.2.L814CyOxMT.exe.40707d0.1.raw.unpack, wbFVXnbgKqsUTCdn.cs	Base64 encoded string: 'QUNnYktLOG8veWpmS084b1Z5ajJLRElvUVNpQUtFQW9KQ2dzS0E4b0pTZ2tLQUFvUUNocEtKSW96aWk5S1A4byt5Z3ZLQjRvQVNnZ0FBPT0=', 'QUNnQUtBQW9BQ2lKS0Iwb0V5aTdLT1FvZUNnaktFQW9BQ2dBS0FBb0FDZ0FLQ0FvR2lqMEtING9YeWdKS0NNb1FDZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW80Q2p6S01Zb0ZDZ0pLQThvL3loRUtMRW81Q2lFS01Bb3BDajBLRWNvOENoZktLa29BU2dnS0hRb2Z5aEVLQUFvQUNnZ0FBPT0=', 'QUNnQUtLQW9BU2lBS0E0b0FDZ0FLQmdvL0NoL0tEc29HU2pOS01Bb1BDZzVLRjhvL3lqRUtNTW9BQ2dBS0Jnb1JDZ0lLRVFvQUNnZ0FBPT0=', 'QUNnQUtBY29nQ2pzS1BZbzdDaHJLSXNvZkNpM0tGY29nQ2lYS0Frb0p5aEFLTW9vdUNqbktORW85Q2p0S1BRbzlDaEVLRGdvQUNnZ0FBPT0=', 'QUNpNEtBQW9DQ2dKS0Jzb055aitLUDhveHlqdktPY295eWlKS0gwb0RTaVpLUDBvemlqL0tQOG9KeWdmS0Fzb0FTaEdLQUFvUkNnZ0FBPT0=', 'QUNpNEtJQW9RQ2dBS0lBb1lDZ1lLSWtvZnlqL0tQOG8veWhXS0FFb3NDai9LUDhvL3lqL0tFZ29FU2dpS01Bb0FDam5LRUFvUnlnZ0FBPT0=', 'QUNnWUtFNG9EeWdXS0JNb0VpZ1NLRG9vL3loSUtMY29neWdCS0FBb0RpZzhLSDRveVNqL0tBY29BQ2dBS0Fnb2dTZ0pLS3NvQUNnZ0FBPT0=', 'QUNnQUtLRW9BQ2dRS0VBb0FDZ0FLQUFvT1NqL0tPNG9JaWhIS0FBb3VDZ1FLUFVvdnlnTEtBQW9BQ2dBS0FBb0JpZ0FLRXdvQUNnZ0FBPT0=', 'QUNnQUtBQW9veWdBS0Fnb2hDZ0FLQUFvQUNnSUtCa29SeWhHS0JBb3VDaTRLQXNvQVNnQUtBQW9BQ2dBS0Fvb0FDaGNLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dSS01Rb0FDZ1JLSVFvUUNnQUtBQW8veWptS09RbzlDaitLQUFvQUNnQUtFQW9FQ2dCS09Bb0NpZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dBS0Fnb0VpaWtLSDhvQ0NnUUtBQW9OQ2l0S1A4bzdTZ3VLQUFvRWlncEtQNG9aQ2dhS0FFb0FDZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dBS0FBb0FDZ0FLQWdvRUNnQUtDUW9BQ2lJS1BZb1dDZ0FLQ1FvRkNnQ0tBRW9BQ2dBS0FBb0FDZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dBS0FBb0FDZ0FLQUFvQUNnQUtBQW9BQ2dBS0Jrb0FDZ0FLQUFvQUNnQUtBQW9BQ2dBS0FBb0FDZ0FLQUFvQUNnZ0FDQUE=', 'WEhSVVpXeGxaM0poYlRvZ2FIUjBjSE02THk5MExtMWxMMFpzWlhOb1UzUmxZV3hsY2c9PQ==', 'Q1FBSkFEM1lzOXdnQUVNQWNnQmxBR1FBYVFCMEFFTUFZUUJ5QUdRQWN3QTZBQ0FB', 'Q1FBSkFEM1lGdDBnQUVJQWJ3QnZBR3NBYlFCaEFISUFhd0J6QURvQUlBQT0=', 'Q1FBSkFEM1k1dHdnQUVRQWJ3QjNBRzRBYkFCdkFHRUFaQUJ6QURvQUlBQT0=', 'Q1FBSkFEellxTjhnQUZJQVpRQnpBSFFBYndCeUFHVUFWQUJ2QUdzQVpRQnVBSE1BT2dBZ0FBPT0=', 'Q1FBSkFEN1l5dDBnQUZjQVlRQnNBR3dBWlFCMEFITUFPZ0FnQUE9PQ==', 'Q1FCRUp3LytJQUJYQUdFQWJBQnNBR1VBZEFCekFDQUFRUUJ3QUhBQU9nQWdBQT09', 'Q1FBKzJLTGRJQUJRQUdrQVpBQm5BR2tBYmdBZ0FFRUFjQUJ3QURvQUlBQT0=', 'Q1FBOTJIN2NJQUJFQUdrQWN3QmpBRzhBY2dCa0FDQUFWQUJ2QUdzQVpRQnVBSE1BT2dBZ0FBPT0=', 'Q1FBSUp3LytJQUJVQUdVQWJBQmxBR2NBY2dCaEFHMEFJQUJ6QUdVQWN3QnpBR2tBYndCdUFITUE=', 'Q1FBQkpnLytJQUJUQUdzQWVRQndBR1VBSUFCekFHVUFjd0J6QUdrQWJ3QnVBQT09', 'Q1FBOTJIN2NJQUJFQUdrQWN3QmpBRzhBY2dCa0FDQUFkQUJ2QUdzQVpRQnVBQT09', 'Q1FBOTJLM2NJQUJUQUdrQVp3QnVBR0VBYkFBZ0FITUFaUUJ6QUhNQWFRQnZBRzRB', 'Q1FBODJLN2ZJQUJUQUhRQVpRQmhBRzBBSUFCekFHVUFjd0J6QUdrQWJ3QnVBQT09', 'Q1FBODJLN2ZJQUJWQUhBQWJBQmhBSGtBSUFCekFHVUFjd0J6QUdrQWJ3QnVBQT09', 'Q1FDWkpnLytJQUJRQUhJQWJ3QmpBR1VBY3dCekFHVUFjd0E2QUNBQQ=='
Source: 0.2.L814CyOxMT.exe.40707d0.1.raw.unpack, NjyaIBfIPSuBSQzciPqBOz.cs	Base64 encoded string: 'U0VMRUNUIEV4ZWN1dGFibGVQYXRoLCBQcm9jZXNzSUQgRlJPTSBXaW4zMl9Qcm9jZXNz'
Source: 0.2.L814CyOxMT.exe.40707d0.1.raw.unpack, WhDYSQjWqXwEvSjwPTd.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs', 'U09GVFdBUkVcV293NjQzMk5vZGVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWw=', 'TmFtZQlWZXJzaW9uCUluc3RhbGxEYXRlCVB1Ymxpc2hlcglJbnN0YWxsTG9jYXRpb24JVW5pbnN0YWxsQ29tbWFuZA=='
Source: 0.2.L814CyOxMT.exe.40707d0.1.raw.unpack, ObPglGeVfetPDqezDE.cs	Base64 encoded string: 'SEFSRFdBUkVcRGVzY3JpcHRpb25cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==', 'Tm8gbmV0d29yayBhZGFwdGVycyB3aXRoIGFuIElQdjQgYWRkcmVzcyBpbiB0aGUgc3lzdGVtIQ=='
Source: 0.2.L814CyOxMT.exe.40707d0.1.raw.unpack, qkZCFIqLhHpgulddqXURmcgNM.cs	Base64 encoded string: 'L0MgY2hjcCA2NTAwMSAmJiBuZXRzaCB3bGFuIHNob3cgcHJvZmlsZXMgfCBmaW5kc3RyIEFsbA==', 'L0MgY2hjcCA2NTAwMSAmJiBuZXRzaCB3bGFuIHNob3cgcHJvZmlsZSBuYW1lPSI='
Source: 0.2.L814CyOxMT.exe.404e1b0.2.raw.unpack, jtZESmvCzFDQAhIBrzI.cs	Base64 encoded string: 'X1x8V0FSTklORzotRE8tTk9ULVNIQVJFLVRISVMuLS1TaGFyaW5nLXRoaXMtd2lsbC1hbGxvdy1zb21lb25lLXRvLWxvZy1pbi1hcy15b3UtYW5kLXRvLXN0ZWFsLXlvdXItUk9CVVgtYW5kLWl0ZW1zXC5cfF9bQS1aMC05XSs=', 'U09GVFdBUkVcUm9ibG94XFJvYmxveFN0dWRpb0Jyb3dzZXJccm9ibG94LmNvbQ==', 'U09GVFdBUkVcUm9ibG94XFJvYmxveFN0dWRpb0Jyb3dzZXJccm9ibG94LmNvbQ=='
Source: 0.2.L814CyOxMT.exe.404e1b0.2.raw.unpack, LZKaFKIbgVRXpAKmWtCJbtPzc.cs	Base64 encoded string: 'XihbYS16QS1aMC05X1wtXC5dKylAKFthLXpBLVowLTlfXC1cLl0rKVwuKFthLXpBLVpdezIsNX0pJA==', 'Xig/ITpcL1wvKShbYS16QS1aMC05LV9dK1wuKSpbYS16QS1aMC05XVthLXpBLVowLTktX10rXC5bYS16QS1aXXsyLDExfT8k', 'U29mdHdhcmVcTWljcm9zb2Z0XE9mZmljZVwxNS4wXE91dGxvb2tcUHJvZmlsZXNcT3V0bG9va1w5Mzc1Q0ZGMDQxMzExMWQzQjg4QTAwMTA0QjJBNjY3Ng==', 'U29mdHdhcmVcTWljcm9zb2Z0XE9mZmljZVwxNi4wXE91dGxvb2tcUHJvZmlsZXNcT3V0bG9va1w5Mzc1Q0ZGMDQxMzExMWQzQjg4QTAwMTA0QjJBNjY3Ng==', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2luZG93cyBNZXNzYWdpbmcgU3Vic3lzdGVtXFByb2ZpbGVzXE91dGxvb2tcOTM3NUNGRjA0MTMxMTFkM0I4OEEwMDEwNEIyQTY2NzY=', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTWVzc2FnaW5nIFN1YnN5c3RlbVxQcm9maWxlc1w5Mzc1Q0ZGMDQxMzExMWQzQjg4QTAwMTA0QjJBNjY3Ng=='
Source: 0.2.L814CyOxMT.exe.404e1b0.2.raw.unpack, kBSsDNHWhOdBUr.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb24='
Source: 0.2.L814CyOxMT.exe.404e1b0.2.raw.unpack, FvEjVqqzSw.cs	Base64 encoded string: 'L2Mgc3RhcnQgL2IgcG93ZXJzaGVsbCDigJNFeGVjdXRpb25Qb2xpY3kgQnlwYXNzIFN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICci', 'U29mdHdhcmVcQ2xhc3Nlc1xtcy1zZXR0aW5nc1xTaGVsbFxPcGVuXGNvbW1hbmQ='
Source: 0.2.L814CyOxMT.exe.404e1b0.2.raw.unpack, wbFVXnbgKqsUTCdn.cs	Base64 encoded string: 'QUNnYktLOG8veWpmS084b1Z5ajJLRElvUVNpQUtFQW9KQ2dzS0E4b0pTZ2tLQUFvUUNocEtKSW96aWk5S1A4byt5Z3ZLQjRvQVNnZ0FBPT0=', 'QUNnQUtBQW9BQ2lKS0Iwb0V5aTdLT1FvZUNnaktFQW9BQ2dBS0FBb0FDZ0FLQ0FvR2lqMEtING9YeWdKS0NNb1FDZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW80Q2p6S01Zb0ZDZ0pLQThvL3loRUtMRW81Q2lFS01Bb3BDajBLRWNvOENoZktLa29BU2dnS0hRb2Z5aEVLQUFvQUNnZ0FBPT0=', 'QUNnQUtLQW9BU2lBS0E0b0FDZ0FLQmdvL0NoL0tEc29HU2pOS01Bb1BDZzVLRjhvL3lqRUtNTW9BQ2dBS0Jnb1JDZ0lLRVFvQUNnZ0FBPT0=', 'QUNnQUtBY29nQ2pzS1BZbzdDaHJLSXNvZkNpM0tGY29nQ2lYS0Frb0p5aEFLTW9vdUNqbktORW85Q2p0S1BRbzlDaEVLRGdvQUNnZ0FBPT0=', 'QUNpNEtBQW9DQ2dKS0Jzb055aitLUDhveHlqdktPY295eWlKS0gwb0RTaVpLUDBvemlqL0tQOG9KeWdmS0Fzb0FTaEdLQUFvUkNnZ0FBPT0=', 'QUNpNEtJQW9RQ2dBS0lBb1lDZ1lLSWtvZnlqL0tQOG8veWhXS0FFb3NDai9LUDhvL3lqL0tFZ29FU2dpS01Bb0FDam5LRUFvUnlnZ0FBPT0=', 'QUNnWUtFNG9EeWdXS0JNb0VpZ1NLRG9vL3loSUtMY29neWdCS0FBb0RpZzhLSDRveVNqL0tBY29BQ2dBS0Fnb2dTZ0pLS3NvQUNnZ0FBPT0=', 'QUNnQUtLRW9BQ2dRS0VBb0FDZ0FLQUFvT1NqL0tPNG9JaWhIS0FBb3VDZ1FLUFVvdnlnTEtBQW9BQ2dBS0FBb0JpZ0FLRXdvQUNnZ0FBPT0=', 'QUNnQUtBQW9veWdBS0Fnb2hDZ0FLQUFvQUNnSUtCa29SeWhHS0JBb3VDaTRLQXNvQVNnQUtBQW9BQ2dBS0Fvb0FDaGNLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dSS01Rb0FDZ1JLSVFvUUNnQUtBQW8veWptS09RbzlDaitLQUFvQUNnQUtFQW9FQ2dCS09Bb0NpZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dBS0Fnb0VpaWtLSDhvQ0NnUUtBQW9OQ2l0S1A4bzdTZ3VLQUFvRWlncEtQNG9aQ2dhS0FFb0FDZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dBS0FBb0FDZ0FLQWdvRUNnQUtDUW9BQ2lJS1BZb1dDZ0FLQ1FvRkNnQ0tBRW9BQ2dBS0FBb0FDZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dBS0FBb0FDZ0FLQUFvQUNnQUtBQW9BQ2dBS0Jrb0FDZ0FLQUFvQUNnQUtBQW9BQ2dBS0FBb0FDZ0FLQUFvQUNnZ0FDQUE=', 'WEhSVVpXeGxaM0poYlRvZ2FIUjBjSE02THk5MExtMWxMMFpzWlhOb1UzUmxZV3hsY2c9PQ==', 'Q1FBSkFEM1lzOXdnQUVNQWNnQmxBR1FBYVFCMEFFTUFZUUJ5QUdRQWN3QTZBQ0FB', 'Q1FBSkFEM1lGdDBnQUVJQWJ3QnZBR3NBYlFCaEFISUFhd0J6QURvQUlBQT0=', 'Q1FBSkFEM1k1dHdnQUVRQWJ3QjNBRzRBYkFCdkFHRUFaQUJ6QURvQUlBQT0=', 'Q1FBSkFEellxTjhnQUZJQVpRQnpBSFFBYndCeUFHVUFWQUJ2QUdzQVpRQnVBSE1BT2dBZ0FBPT0=', 'Q1FBSkFEN1l5dDBnQUZjQVlRQnNBR3dBWlFCMEFITUFPZ0FnQUE9PQ==', 'Q1FCRUp3LytJQUJYQUdFQWJBQnNBR1VBZEFCekFDQUFRUUJ3QUhBQU9nQWdBQT09', 'Q1FBKzJLTGRJQUJRQUdrQVpBQm5BR2tBYmdBZ0FFRUFjQUJ3QURvQUlBQT0=', 'Q1FBOTJIN2NJQUJFQUdrQWN3QmpBRzhBY2dCa0FDQUFWQUJ2QUdzQVpRQnVBSE1BT2dBZ0FBPT0=', 'Q1FBSUp3LytJQUJVQUdVQWJBQmxBR2NBY2dCaEFHMEFJQUJ6QUdVQWN3QnpBR2tBYndCdUFITUE=', 'Q1FBQkpnLytJQUJUQUdzQWVRQndBR1VBSUFCekFHVUFjd0J6QUdrQWJ3QnVBQT09', 'Q1FBOTJIN2NJQUJFQUdrQWN3QmpBRzhBY2dCa0FDQUFkQUJ2QUdzQVpRQnVBQT09', 'Q1FBOTJLM2NJQUJUQUdrQVp3QnVBR0VBYkFBZ0FITUFaUUJ6QUhNQWFRQnZBRzRB', 'Q1FBODJLN2ZJQUJUQUhRQVpRQmhBRzBBSUFCekFHVUFjd0J6QUdrQWJ3QnVBQT09', 'Q1FBODJLN2ZJQUJWQUhBQWJBQmhBSGtBSUFCekFHVUFjd0J6QUdrQWJ3QnVBQT09', 'Q1FDWkpnLytJQUJRQUhJQWJ3QmpBR1VBY3dCekFHVUFjd0E2QUNBQQ=='
Source: 0.2.L814CyOxMT.exe.404e1b0.2.raw.unpack, NjyaIBfIPSuBSQzciPqBOz.cs	Base64 encoded string: 'U0VMRUNUIEV4ZWN1dGFibGVQYXRoLCBQcm9jZXNzSUQgRlJPTSBXaW4zMl9Qcm9jZXNz'
Source: 0.2.L814CyOxMT.exe.404e1b0.2.raw.unpack, WhDYSQjWqXwEvSjwPTd.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs', 'U09GVFdBUkVcV293NjQzMk5vZGVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWw=', 'TmFtZQlWZXJzaW9uCUluc3RhbGxEYXRlCVB1Ymxpc2hlcglJbnN0YWxsTG9jYXRpb24JVW5pbnN0YWxsQ29tbWFuZA=='
Source: 0.2.L814CyOxMT.exe.404e1b0.2.raw.unpack, ObPglGeVfetPDqezDE.cs	Base64 encoded string: 'SEFSRFdBUkVcRGVzY3JpcHRpb25cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==', 'Tm8gbmV0d29yayBhZGFwdGVycyB3aXRoIGFuIElQdjQgYWRkcmVzcyBpbiB0aGUgc3lzdGVtIQ=='
Source: 0.2.L814CyOxMT.exe.404e1b0.2.raw.unpack, qkZCFIqLhHpgulddqXURmcgNM.cs	Base64 encoded string: 'L0MgY2hjcCA2NTAwMSAmJiBuZXRzaCB3bGFuIHNob3cgcHJvZmlsZXMgfCBmaW5kc3RyIEFsbA==', 'L0MgY2hjcCA2NTAwMSAmJiBuZXRzaCB3bGFuIHNob3cgcHJvZmlsZSBuYW1lPSI='

Source: 0.2.L814CyOxMT.exe.402bb80.0.raw.unpack, FvEjVqqzSw.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.L814CyOxMT.exe.402bb80.0.raw.unpack, FvEjVqqzSw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.L814CyOxMT.exe.404e1b0.2.raw.unpack, FvEjVqqzSw.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.L814CyOxMT.exe.404e1b0.2.raw.unpack, FvEjVqqzSw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.L814CyOxMT.exe.40707d0.1.raw.unpack, FvEjVqqzSw.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.L814CyOxMT.exe.40707d0.1.raw.unpack, FvEjVqqzSw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@13/5@4/4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_06AA1C00 CreateToolhelp32Snapshot,

2_2_06AA1C00

Source: C:\Users\user\Desktop\L814CyOxMT.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\L814CyOxMT.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4944:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4944:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\Temp\downloadedFile.exe

Jump to behavior

Source: L814CyOxMT.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: L814CyOxMT.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\L814CyOxMT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: L814CyOxMT.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\L814CyOxMT.exe

File read: C:\Users\user\Desktop\L814CyOxMT.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\L814CyOxMT.exe "C:\Users\user\Desktop\L814CyOxMT.exe"
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior

Source: C:\Users\user\Desktop\L814CyOxMT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: L814CyOxMT.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: L814CyOxMT.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: L814CyOxMT.exe

Static file information: File size 2430976 > 1048576

Source: L814CyOxMT.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x250e00

Source: L814CyOxMT.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: q<costura.costura.pdb.compressed source: L814CyOxMT.exe, 00000000.00000002.886810697587.0000000003045000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed@\ source: L814CyOxMT.exe, 00000000.00000002.886810697587.0000000003045000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed source: L814CyOxMT.exe
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: L814CyOxMT.exe

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: L814CyOxMT.exe, hFmnwo53WNRHDu8S5dR.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: L814CyOxMT.exe, AssemblyLoader.cs

.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: L814CyOxMT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.L814CyOxMT.exe.890000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.886810697587.0000000003045000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.886802463927.0000000000892000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: L814CyOxMT.exe PID: 6424, type: MEMORYSTR

Source: L814CyOxMT.exe

Static PE information: 0xF6DB9E99 [Wed Mar 30 01:08:41 2101 UTC]

Source: C:\Users\user\Desktop\L814CyOxMT.exe	Code function: 0_2_05536EA8 push esp; retf	0_2_05536EA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_02FAD281 push es; ret	2_2_02FAD296
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_02FAD261 push es; ret	2_2_02FAD276
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_02FAC83A push es; ret	2_2_02FAC846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_02FAE6D2 push es; ret	2_2_02FAE6E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_02FAA610 push es; ret	2_2_02FAA626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_02FAC850 push esp; retf	2_2_02FAC851
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_02FACEF2 push es; ret	2_2_02FACF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_02FAF740 push es; ret	2_2_02FAF750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_06AAB6BE push es; ret	2_2_06AAB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_06AA6E40 push es; ret	2_2_06AA6E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_06AA4F9C push esp; iretd	2_2_06AA4F9D

Source: L814CyOxMT.exe, rFohpatkdxsVcxLfJKhM7.cs	High entropy of concatenated method names: 'YLKleFPZbr', 'lA8lCfAH8v', 'RsFl32ciV6', 'n4WlQbuIKJ', 'P0WlrK5hXy', 'WYSlPlOMjf', 'IbNlSCoIe7', 'kNkl1reF1l', 'mPvlqBvp4P', 'W2NlbPoBgD'
Source: L814CyOxMT.exe, xcC745NLx036DusXTBA.cs	High entropy of concatenated method names: 'scgcTuDpei', 'wwLcMGi0NL', 'gLKcHtbfSe', 'IVlc9M3gxI', 'FXucDbO11p', 'p9OcXuMk2T', 'O5Scdb4etA', 'p3xcbHPNyR', 'EZQcRbjp6a', 'vVjcAUKx63'
Source: L814CyOxMT.exe, AlqUw6VJ8JdE2WatO8h.cs	High entropy of concatenated method names: 'opvVPmUwNc', 'C7eNpBqeIt', 'wP9NVjQQNc', 'tc5Vz0H4cx', 'FELNNlMtYK', 'TajNvmJ8Kv', 'liTWaiwZ0S', 'XHWW5NTjmr', 'smgWpKpXKk', 'J4cN0DYeaU'
Source: L814CyOxMT.exe, rQ5un29dJePvMnhe24u.cs	High entropy of concatenated method names: 'dMoDyomLaJ', 'T7ODx6PeZ6', 'oklDT8oAAv', 'DgGDMCypHF', 'sVpDHFsB1s', 'Uv2D9JMEjD', 'BxiDDy2NkC', 'eoFDXk6xoB', 'SEI7XVG3r0vsLRu6TU6', 'oOPJ59GZcbUCVGsHBpt'
Source: L814CyOxMT.exe, hFmnwo53WNRHDu8S5dR.cs	High entropy of concatenated method names: 'O8oVf2tXysXui2kFFKo', 'd9gNdvtdY7DUoUsjEmw', 'HIlVcPDGHR', 'nW4lBacjpc', 'iPnV9BE8T3', 'K4tVD7W4G0', 'z7uVXAwfOV', 'MYWVdphfpZ', 'MtW2JoWPJk', 'SbL5Zpya1l'
Source: L814CyOxMT.exe, vC2G8SBgZeSV3J31nP.cs	High entropy of concatenated method names: 'J6amR68fR', 'eUJEOW5yW', 'QuXK8adxK', 'dlpJr0euc', 'FvVPgtHFO', 'MXDzbKyMq', 'bDK5aDIEr1', 'cWv55XoFfV', 'yFK5pYTIdr', 'mIS5VrC0eB'
Source: L814CyOxMT.exe, AjKSJaDeC6HobQhmLGh.cs	High entropy of concatenated method names: 'KJd7y6WMIY', 'dv87x2SGGR', 'uup7TLRDsW', 'UST7MSw1Mj', 'AoB7HpKARI', 'EKK79CdlUv', 'pUu7D9eAHp', 'YNkDmBB16d', 'gDP7X4ZQCr', 'bSA7dGBXUB'
Source: 0.2.L814CyOxMT.exe.402bb80.0.raw.unpack, eslfKMDwHcovvTUIY.cs	High entropy of concatenated method names: 'VtqHRkvbRiSrFHLwyCscKdO', 'RkMGMbzTIEWkhXbBjivU', 'PXgjyUSPvgseHqgXoPp', 'zjAlbPbaqsbitEBNfXNH', 'DMYeGZguevTFmfgWvHjs', 'YDEKkCpTrRBiBvWcGVpvgMx', 'cHZUqkPdOqeJ', 'UVWqamdRXkjJupm', 'xKMFxhcdUcHBXULQMImzTEFZ', 'qFXpKwuckQfSEWns'
Source: 0.2.L814CyOxMT.exe.402bb80.0.raw.unpack, jFgPRPPUerxYrM.cs	High entropy of concatenated method names: 'LrfTXfkoAaZQFxiPuYWUx', 'NnyTabwtSTR', 'QZNaMiHyegsSFx', 'SNrkenHdsUDFIrGHGyrhJCTL', 'NyZgufOcfefajmbIvUFJdy', 'YYmTOQmQugwR', 'hwyppcdMahXLPYNhNCKOrB', 'IMzMsOlumVmb', 'WQTBVuyrOHyrZigemDwgopdqP', 'yonkqdxNKxiJsxDQtEAUS'
Source: 0.2.L814CyOxMT.exe.40707d0.1.raw.unpack, eslfKMDwHcovvTUIY.cs	High entropy of concatenated method names: 'VtqHRkvbRiSrFHLwyCscKdO', 'RkMGMbzTIEWkhXbBjivU', 'PXgjyUSPvgseHqgXoPp', 'zjAlbPbaqsbitEBNfXNH', 'DMYeGZguevTFmfgWvHjs', 'YDEKkCpTrRBiBvWcGVpvgMx', 'cHZUqkPdOqeJ', 'UVWqamdRXkjJupm', 'xKMFxhcdUcHBXULQMImzTEFZ', 'qFXpKwuckQfSEWns'
Source: 0.2.L814CyOxMT.exe.40707d0.1.raw.unpack, jFgPRPPUerxYrM.cs	High entropy of concatenated method names: 'LrfTXfkoAaZQFxiPuYWUx', 'NnyTabwtSTR', 'QZNaMiHyegsSFx', 'SNrkenHdsUDFIrGHGyrhJCTL', 'NyZgufOcfefajmbIvUFJdy', 'YYmTOQmQugwR', 'hwyppcdMahXLPYNhNCKOrB', 'IMzMsOlumVmb', 'WQTBVuyrOHyrZigemDwgopdqP', 'yonkqdxNKxiJsxDQtEAUS'
Source: 0.2.L814CyOxMT.exe.404e1b0.2.raw.unpack, eslfKMDwHcovvTUIY.cs	High entropy of concatenated method names: 'VtqHRkvbRiSrFHLwyCscKdO', 'RkMGMbzTIEWkhXbBjivU', 'PXgjyUSPvgseHqgXoPp', 'zjAlbPbaqsbitEBNfXNH', 'DMYeGZguevTFmfgWvHjs', 'YDEKkCpTrRBiBvWcGVpvgMx', 'cHZUqkPdOqeJ', 'UVWqamdRXkjJupm', 'xKMFxhcdUcHBXULQMImzTEFZ', 'qFXpKwuckQfSEWns'
Source: 0.2.L814CyOxMT.exe.404e1b0.2.raw.unpack, jFgPRPPUerxYrM.cs	High entropy of concatenated method names: 'LrfTXfkoAaZQFxiPuYWUx', 'NnyTabwtSTR', 'QZNaMiHyegsSFx', 'SNrkenHdsUDFIrGHGyrhJCTL', 'NyZgufOcfefajmbIvUFJdy', 'YYmTOQmQugwR', 'hwyppcdMahXLPYNhNCKOrB', 'IMzMsOlumVmb', 'WQTBVuyrOHyrZigemDwgopdqP', 'yonkqdxNKxiJsxDQtEAUS'

Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Speed FROM Win32_PhysicalMemory

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_PnPEntity

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Speed FROM Win32_PhysicalMemory

Source: C:\Users\user\Desktop\L814CyOxMT.exe	Memory allocated: 13F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Memory allocated: 3000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 3190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 30D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\L814CyOxMT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598563	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Window / User API: threadDelayed 9747

Jump to behavior

Source: C:\Users\user\Desktop\L814CyOxMT.exe TID: 3140	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4360	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4360	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4360	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4360	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4360	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4360	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4360	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4360	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4360	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4360	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4360	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4360	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4360	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4360	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4360	Thread sleep time: -598563s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Version FROM Win32_BIOS

Source: C:\Users\user\Desktop\L814CyOxMT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598563	Jump to behavior

Source: L814CyOxMT.exe, 00000000.00000002.886810697587.0000000003045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: L814CyOxMT.exe, 00000000.00000002.886810697587.0000000003045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\NC:\WINDOWS\system32\drivers\vmmouse.sysLC:\WINDOWS\system32\drivers\vmhgfs.sys
Source: L814CyOxMT.exe, 00000000.00000002.886810697587.0000000003045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VIRTUALBOXTSOFTWARE\Oracle\VirtualBox Guest Additions noValueButYesKeyRC:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: L814CyOxMT.exe, 00000000.00000002.886810697587.0000000003045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: MSBuild.exe, 00000002.00000002.887043771614.0000000001457000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: L814CyOxMT.exe, 00000000.00000002.886810697587.0000000003045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: MSBuild.exe, 00000002.00000002.887045237055.00000000033BE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000323D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure DriverSystemEnableMicrosoft Hyper-V Virtualization Infrastructure Driver

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\L814CyOxMT.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\L814CyOxMT.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\L814CyOxMT.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 424000	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 426000	Jump to behavior
Source: C:\Users\user\Desktop\L814CyOxMT.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: E92008	Jump to behavior

Source: C:\Users\user\Desktop\L814CyOxMT.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior

Source: MSBuild.exe, 00000002.00000002.887045237055.00000000033BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q ACTIVE WINDOW: Program Managert-
Source: MSBuild.exe, 00000002.00000002.887045237055.00000000033BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 00000002.00000002.887052638593.0000000004B14000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033BE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000005160000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ACTIVE WINDOW: Program Manager
Source: MSBuild.exe, 00000002.00000002.887045237055.000000000323D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ACTIVE WINDOW: Program Manager@\
Source: MSBuild.exe, 00000002.00000002.887045237055.00000000033BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\Users\user\Desktop\L814CyOxMT.exe	Queries volume information: C:\Users\user\Desktop\L814CyOxMT.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\L814CyOxMT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles

Stealing of Sensitive Information

Yara detected Flesh Stealer

Source: Yara match	File source: 00000002.00000002.887052638593.0000000004DB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.887045237055.00000000033BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.887052638593.0000000004F89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2752, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: L814CyOxMT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.L814CyOxMT.exe.890000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.886802463927.0000000000892000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: L814CyOxMT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.L814CyOxMT.exe.890000.0.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: MSBuild.exe, 00000002.00000002.887045237055.0000000003921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum@\
Source: MSBuild.exe, 00000002.00000002.887045237055.00000000034DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Application Data Jaxx Liberty@\
Source: MSBuild.exe, 00000002.00000002.887045237055.000000000323D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q4C:\Users\user\AppData\Roaming\Exodus\exodus.wallett-
Source: MSBuild.exe, 00000002.00000002.887045237055.000000000323D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q1C:\Users\user\AppData\Roaming\Ethereum\keystoret-
Source: MSBuild.exe, 00000002.00000002.887045237055.00000000034DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Application Data Exodus@\
Source: MSBuild.exe, 00000002.00000002.887045237055.000000000323D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: MSBuild.exe, 00000002.00000002.887045237055.000000000323D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q5C:\Users\user\AppData\Local\Coinomi\Coinomi\walletst-
Source: L814CyOxMT.exe, 00000000.00000000.886802463927.0000000000892000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal WLAN passwords

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\7tydjrzc.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\jfrd00o7.default\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Application Data\Mozilla\Firefox\Profiles\7tydjrzc.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7tydjrzc.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7tydjrzc.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\jfrd00o7.default\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7tydjrzc.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\7tydjrzc.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\jfrd00o7.default\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\7tydjrzc.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7tydjrzc.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Mozilla\Firefox\Profiles\jfrd00o7.default\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\jfrd00o7.default\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\7tydjrzc.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\jfrd00o7.default\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7tydjrzc.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\7tydjrzc.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\jfrd00o7.default\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\7tydjrzc.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Mozilla\Firefox\Profiles\7tydjrzc.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7tydjrzc.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\7tydjrzc.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\jfrd00o7.default\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log	Jump to behavior

Remote Access Functionality

Yara detected Flesh Stealer

Source: Yara match	File source: 00000002.00000002.887052638593.0000000004DB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.887045237055.00000000033BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.887052638593.0000000004F89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2752, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: L814CyOxMT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.L814CyOxMT.exe.890000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.886802463927.0000000000892000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: L814CyOxMT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.L814CyOxMT.exe.890000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	211 Windows Management Instrumentation	1 DLL Side-Loading	212 Process Injection	1 Masquerading	1 OS Credential Dumping	31 Security Software Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	231 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	231 Virtualization/Sandbox Evasion	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	212 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	133 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
L814CyOxMT.exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.Cerbu
L814CyOxMT.exe	100%	Avira	TR/Dropper.Gen
L814CyOxMT.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
https://drive.google	0%	Avira URL Cloud	safe
http://icanhazip.comd	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
google.com	142.250.81.238	true	false	high
www.google.com	142.251.40.132	true	false	high
ax-0001.ax-msedge.net	150.171.28.10	true	false	high
icanhazip.com	104.16.185.241	true	false	high
13.169.14.0.in-addr.arpa	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
http://icanhazip.com/	false	high
https://google.com/	false	high
https://www.google.com/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	MSBuild.exe, 00000002.00000002.887052638593.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/?usp=installed_webapp	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search	MSBuild.exe, 00000002.00000002.887052638593.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	MSBuild.exe, 00000002.00000002.887052638593.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/installwebapp?usp=chrome_default	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t.me/FleshStealer	MSBuild.exe, 00000002.00000002.887045237055.000000000339B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/J	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/J	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/drive/installwebapp?usp=chrome_default	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/:	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.nDpqIaYUvbc2	tmp6926.tmp.dat.2.dr	false		high
https://mail.google.com/mail/:	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/installwebapp?usp=chrome_default	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t.me/FleshStealert-	MSBuild.exe, 00000002.00000002.887045237055.000000000339B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/:	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/installwebapp?usp=chrome_default	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schema.org/WebPage	downloadedFile.exe.2.dr	false		high
https://docs.google.com/document/:	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/spreadsheets/J	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/spreadsheets/?usp=installed_webapp	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/J	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	MSBuild.exe, 00000002.00000002.887052638593.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	MSBuild.exe, 00000002.00000002.887052638593.000000000476A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	MSBuild.exe, 00000002.00000002.887052638593.000000000476A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://c.pki.goog/r/r1.crl0	MSBuild.exe, 00000002.00000002.887052638593.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000005134000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004D87000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004422000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004252000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.000000000476A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/spreadsheets/:	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/?lfhs=2	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://icanhazip.com	MSBuild.exe, 00000002.00000002.887045237055.000000000339B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	downloadedFile.exe.2.dr	false		high
https://www.youtube.com/s/notifications/manifest/cr_install.html	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MSBuild.exe, 00000002.00000002.887045237055.0000000003191000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/?feature=ytca	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/J	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lh3.googleusercontent.com/ogw/default-user=s96	downloadedFile.exe.2.dr	false		high
https://drive.google.com/:	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://i.pki.goog/r1.crt0	MSBuild.exe, 00000002.00000002.887052638593.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000005134000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004D87000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004422000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004252000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.000000000476A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	MSBuild.exe, 00000002.00000002.887052638593.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	MSBuild.exe, 00000002.00000002.887052638593.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000005134000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004D87000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004422000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004252000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.000000000476A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	MSBuild.exe, 00000002.00000002.887052638593.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000005134000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004D87000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004422000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004252000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.000000000476A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.google.com/J	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	MSBuild.exe, 00000002.00000002.887052638593.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://icanhazip.comd	MSBuild.exe, 00000002.00000002.887045237055.000000000339B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	tmp6926.tmp.dat.2.dr	false		high
https://www.google.com/favicon.ico	MSBuild.exe, 00000002.00000002.887052638593.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	MSBuild.exe, 00000002.00000002.887052638593.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lh3.googleusercontent.com/ogw/default-user=s24	downloadedFile.exe.2.dr	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	MSBuild.exe, 00000002.00000002.887052638593.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000005134000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004D87000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004422000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.0000000004252000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887052638593.000000000476A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/?usp=installed_webapp	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org	tmp6926.tmp.dat.2.dr	false		high
https://docs.google.com/document/?usp=installed_webapp	MSBuild.exe, 00000002.00000002.887045237055.0000000003664000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000335E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000382B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000376E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003386000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000366F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.000000000388D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	MSBuild.exe, 00000002.00000002.887052638593.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	MSBuild.exe, 00000002.00000002.887052638593.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google	MSBuild.exe, 00000002.00000002.887045237055.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003373000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003756000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003651000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003778000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003869000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.0000000003811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.887045237055.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.251.40.132	www.google.com	United States	15169	GOOGLEUS	false
89.23.100.233	unknown	Russian Federation	48687	MAXITEL-ASRU	false
104.16.185.241	icanhazip.com	United States	13335	CLOUDFLARENETUS	false
142.250.81.238	google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1550367
Start date and time:	2024-11-06 17:38:23 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2021, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected VM Detection
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	L814CyOxMT.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@13/5@4/4
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 87% Number of executed functions: 217 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 52.111.227.13, 23.200.88.181, 23.200.88.172, 23.200.88.211, 23.200.88.175, 23.200.88.176, 23.200.88.178, 23.200.88.177, 23.200.88.179, 23.200.88.174
Excluded domains from analysis (whitelisted): www.bing.com, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, g.bing.com, nexusrules.officeapps.live.com, www-www.bing.com.trafficmanager.net, prod.nexusrules.live.com.akadns.net
Execution Graph export aborted for target L814CyOxMT.exe, PID 6424 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: L814CyOxMT.exe

Simulations

Behavior and APIs

Time	Type	Description
11:40:28	API Interceptor	168x Sleep call for process: MSBuild.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
89.23.100.233	vbe11TPn2x.exe	Get hash	malicious	Flesh Stealer	Browse
	zufmUwylvo.exe	Get hash	malicious	Flesh Stealer, Xmrig	Browse
	System.exe	Get hash	malicious	Flesh Stealer, Xmrig	Browse
	SecuriteInfo.com.Trojan.PWS.Siggen3.38160.4541.30793.exe	Get hash	malicious	Unknown	Browse
104.16.185.241	GsZkXAmf61.exe	Get hash	malicious	Celestial Rat, EICAR	Browse	icanhazip.com/
	REQUEST FOR QUOTATION.js	Get hash	malicious	PXRECVOWEIWOEI Stealer, PureLog Stealer	Browse	icanhazip.com/
	Company profile.js	Get hash	malicious	PXRECVOWEIWOEI Stealer, PureLog Stealer	Browse	icanhazip.com/
	RFQ.vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer, PureLog Stealer	Browse	icanhazip.com/
	HONG_KONG_CHEMHERE_QUOTE_REQUEST.vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer, PureLog Stealer	Browse	icanhazip.com/
	System.exe	Get hash	malicious	Flesh Stealer, Xmrig	Browse	icanhazip.com/
	Quotation.vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	icanhazip.com/
	client.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	icanhazip.com/
	Request for Quotation_1.js	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	icanhazip.com/
	out.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	icanhazip.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
icanhazip.com	vbe11TPn2x.exe	Get hash	malicious	Flesh Stealer	Browse	104.16.184.241
	Q1KaSJ8Fom.exe	Get hash	malicious	Unknown	Browse	104.16.185.241
	Q1KaSJ8Fom.exe	Get hash	malicious	Unknown	Browse	104.16.184.241
	zufmUwylvo.exe	Get hash	malicious	Flesh Stealer, Xmrig	Browse	104.16.184.241
	gGcpYEOr8U.exe	Get hash	malicious	Unknown	Browse	104.16.184.241
	GsZkXAmf61.exe	Get hash	malicious	Celestial Rat, EICAR	Browse	104.16.185.241
	GsZkXAmf61.exe	Get hash	malicious	Celestial Rat	Browse	104.16.184.241
	mitec_purchase_order_PDF (1).vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	104.16.184.241
	REQUEST FOR QUOTATION.js	Get hash	malicious	PXRECVOWEIWOEI Stealer, PureLog Stealer	Browse	104.16.185.241
	Company profile.js	Get hash	malicious	PXRECVOWEIWOEI Stealer, PureLog Stealer	Browse	104.16.185.241
ax-0001.ax-msedge.net	https://prezi.com/i/amopqalyrbyv/	Get hash	malicious	Unknown	Browse	150.171.27.10
	Remittance_Ref;-49743170932be73dd68e9130949b1b5dbf8aa216bc0f0729cd.html	Get hash	malicious	Unknown	Browse	150.171.28.10
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	150.171.28.10
	file.exe	Get hash	malicious	Credential Flusher	Browse	150.171.27.10
	Steelcase Series 1 Sustainable Office Chair _ Steelcase.html	Get hash	malicious	Unknown	Browse	150.171.27.10
	2407821277133588494.js	Get hash	malicious	Strela Downloader	Browse	150.171.28.10
	De_posit Confirmati0n_ Mitie.html	Get hash	malicious	Unknown	Browse	150.171.27.10
	https://app.bitdam.com/api/v1.0/links/rewrite_click/?rewrite_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXdyaXRlX2lkIjoiNjcyOGQ2YzliOTFmMDRhNDE1NjM3NTRhIiwidXJsIjoiIiwib3JnYW5pemF0aW9uX2lkIjo1ODQwfQ.Uhd2nS1gN1sUzvqpPDTmoAH1ZU9vF-hNz1sM06cv-iA&url=https%3A//www.google.it/url%3Fq%3Dhttps%3A//www.google.it/url%3Fq%3Dhttps%3A//www.google.it/url%3Fq%3Dhttps%3A//www.google.ro/url%3Fq%3Dhttps%3A//www.google.nl/url%3Fq%3DZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%25RANDOM4%25wDnNeW8yycT&sa=t&esrc=nNeW8F%25RANDOM3%25A0xys8Em2FL&source=&cd=tS6T8%25RANDOM3%25Tiw9XH&cad=XpPkDfJX%25RANDOM4%25VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%6E%65%77%68%6F%6D%65%73%76%6E%2E%63%6F%6D%2F%63%67%69%2F/3we/Y29saW4uZ3JhbnRAZmlyc3RvbnRhcmlvLmNvbQ==	Get hash	malicious	Unknown	Browse	150.171.28.10
	+1-481-481-XXX_audio.wa.html	Get hash	malicious	Unknown	Browse	150.171.28.10
	https://r.mailing.campingcarpark.com/tr/cl/m2JPJkzPDbfL5s2bDabtlPRATYRQylIubPPupv_vc3kDzIWW2_TNYLb8YBmBuxxUamsx-FMq6iQDKP4aBiozKtmctIWJHvB_jMPMQCy2V9w9n7PdBiSom_VscfyxjRbqNIYqjqLTOUl5-9LarkHqAVm5L2wSo2oXxGVlFSK9ch7-9o3rO6zfaWOVTBYD4bj-cBh9D46nF7VLeW5JX646w9BMjGtwIbaonCu5pf0X8ov7yR1QFDHFtwW10C7XEoZag-1kPqsvroBYGdEMlwciu7AuBU1Y26NjgdB1vb4QnVOsIs_acQZJzGs0n3fybIY3bzcEJyP_Oy1jYqrav3I9lVVIjNjH0id0gdS4TbucLqy31-2RoRtZQc8bVuUs9GXZATyHwjK94EM9fKm3gaQ0u6Km4OhvabjJRJ1r26CvdUmHO1SK4HumQKUTUp8TXSmV-Stnpm_CGVl-UuJ0NvRq2I4Xw9uT__o0aJIGY71Xtr5Z7Y_et8YZZEgYR8N-C3PmDstWGdA9-IDO6X1D8sJVLEuj4ynD4q9-hO3nCsqHsDxKxs0cmE6rNpf8r-UvD1nXZ_a-VWCTi1NHu4b8MXaBheK-JZ2q5hHvkeAVzUdiXCOufUWyY-Ee97OlTdt1Y3IjIn0dj-CvUR17EtHIzPpKzFbJHJuSBA7gKlgbAXP5qj9Z9DYOs3fd4_dxBHDc4hFtPyERTdDEp75X34mcet-FOG2cCg6GELttByElL4HvrmfIJOs_BaLRaeRpYLsj2tIjMzr0T4OVWHBOW-Q1-iqoT_zCsmcuYUhzpgTIqTGpvB7QFG0i3ZF3aeteqWLx1NAZYNeYfLSsmOWLZWMqQuWpJNh5nxTAhUC-Ine_ExnFOYwfU5uvTSRkQ3WnzaJTik6lH8zjYuRq0R9zqImSml6gks4xbe9VZFCW-qtDzZihL-bjo2pnAM-z6PAC_JoDVrKTvQZZFhm5dMQTMyyNpmiJG_1gQ1xJxfcTrHmgDYLf	Get hash	malicious	HTMLPhisher	Browse	150.171.28.10

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.133.135
	KfoiTvEwmD.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.95.204
	Purchase Order EFT.pdf	Get hash	malicious	Unknown	Browse	172.67.145.243
	Fiyat teklifi iste#U011fi.bat.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	FmmYUD4pt7.wsf	Get hash	malicious	Unknown	Browse	104.26.12.205
	Aviso de pago.xla.xlsx	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	Fiyat teklifi iste#U011fi.bat.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	http://www.intelliclicksoftware.net/clicktrack2/click.aspx?ActionType=CreateHistory&CustomerID=GM-CSATRANS&ParentRecordID=&Campaign=Thank%20You%20For%20Your%20Business%20SR&Name=&Company=&Phone=&Email=&Subject=Click%20Through&WebNav=True&URL=http://johnvugrin.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://prezi.com/i/amopqalyrbyv/	Get hash	malicious	Unknown	Browse	104.18.94.41
	https://virtual.urban-orthodontics.com	Get hash	malicious	Unknown	Browse	1.1.1.1
MAXITEL-ASRU	vbe11TPn2x.exe	Get hash	malicious	Flesh Stealer	Browse	89.23.100.233
	Ham9SAD0Ou.doc	Get hash	malicious	Unknown	Browse	89.23.98.98
	file.dll	Get hash	malicious	Matanbuchus	Browse	89.23.113.220
	file.dll	Get hash	malicious	Matanbuchus	Browse	89.23.113.220
	zufmUwylvo.exe	Get hash	malicious	Flesh Stealer, Xmrig	Browse	89.23.100.233
	System.exe	Get hash	malicious	Flesh Stealer, Xmrig	Browse	89.23.100.233
	SecuriteInfo.com.Trojan.PWS.Siggen3.38160.4541.30793.exe	Get hash	malicious	Unknown	Browse	89.23.100.233
	tjigfd64.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.209.5
	3plugin29563.exe	Get hash	malicious	Amadey	Browse	89.23.103.42
	setup.exe	Get hash	malicious	RedLine	Browse	89.23.97.185

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
6271f898ce5be7dd52b0fc260d0662b3	Shipping Documents.xls	Get hash	malicious	Unknown	Browse	150.171.28.10
	http://go.wafykoe.com/0nbe	Get hash	malicious	HTMLPhisher	Browse	150.171.28.10
	Payment Confirmation (237 KB).msg	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	150.171.28.10
	https://qr.link/YzVlSa	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	150.171.28.10
	https://online.telecoms.click/provisional.html?private=yummy.burger@saic.com	Get hash	malicious	Unknown	Browse	150.171.28.10
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	150.171.28.10
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFnKMUa7un9eFMg0JUHf71Dy-2Fi7dgW0zG7NN7FnX-2BRfWJPxmxdpUDiRF-2Fra5O27kwvA-3D-3DUvZW_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZPe5eIaMAcaNYEFc8XJVUZkedrdLKhhnsZ-2BYGpL8Aexp5QfDYeLBDn2jKVmp7oADiMjLLiOLEX0yzDO9WsfbA3D-2B-2FRfY-2FLM-2FZL819bIeqi10r3tMBkA5tIJ3L06KhQPsl4VgIlimoGLXnuduW-2FXkk1JtF3sDOE7yxjbo68R-2Br0Xg-2BJqttxfjS-2BU2vScHQ9Tk4Yb5q9NkRDH2-2FfmFoaCrG767CAizSCoM8egZuTS7qFpzgz7LaiLstYCh9bj8z-2BdwW4-3D#Cmariabilan@pointloma.edu	Get hash	malicious	HTMLPhisher	Browse	150.171.28.10
	https://na2.documents.adobe.com/public/esignWidget?wid=CBFCIBAA3AAABLblqZhCX_CdmV54WhbwmGNmUgUY27Kzb0iIqbw3x78Nfs8Z-Ky9Jbk1e_ZUruh3S8n-MZ1k	Get hash	malicious	HTMLPhisher	Browse	150.171.28.10
	A Wireless Caller left a recording #iE0rfKd.eml	Get hash	malicious	Unknown	Browse	150.171.28.10
	VisitorLevy.exe	Get hash	malicious	Vidar	Browse	150.171.28.10
3b5074b1b5d032e5620f69f9f700ff0e	FmmYUD4pt7.wsf	Get hash	malicious	Unknown	Browse	142.251.40.132 142.250.81.238
	meN9qeS2DE.exe	Get hash	malicious	XWorm	Browse	142.251.40.132 142.250.81.238
	rA01_278 Check list#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	142.251.40.132 142.250.81.238
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	142.251.40.132 142.250.81.238
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	142.251.40.132 142.250.81.238
	05.11.241591883_UyeIsyeriCalismanKosullari.xlxs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	142.251.40.132 142.250.81.238
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	142.251.40.132 142.250.81.238
	http://go.wafykoe.com/0nbe	Get hash	malicious	HTMLPhisher	Browse	142.251.40.132 142.250.81.238
	https://www.google.com/url?q=https://alhmusa.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPVdIUkpVa009JnVpZD1VU0VSMTUxMDIwMjRVMDExMDE1NDE%3D&sa=D&source=editors&ust=1730911677097978&usg=AOvVaw0lzPnbpui3_6j_tDBkURnO	Get hash	malicious	Unknown	Browse	142.251.40.132 142.250.81.238

Process:	C:\Users\user\Desktop\L814CyOxMT.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.35152097590267
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPuuOKbbDLI4MWuPJKy2Khav:ML9E4KGbKDE4KhKzKhk
MD5:	8C7889BDE41724CE3DB7C67E730677F6
SHA1:	485891CC9120CB2203A2483754DBD5E6EA24F28E
SHA-256:	83C70BFCB1B41892C9C50CABE9BC2D96B2F7420B28545AFABD32F682AC62D0AD
SHA-512:	B7C3AAB27FC924DCAEF78987B492931E164B9E30B813C532FE87E1D40001ED1861C4B5DDBDD85CD2278681A22E32EEE816877F4F63CECAA9972976D87E38F5CC
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\68e52ded8d0e73920808d8880ed14efd\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\62fe5fc1b5bafb28a19a2754318abf00\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1588
Entropy (8bit):	5.365439852188877
Encrypted:	false
SSDEEP:	48:MxHKG+1qHDD3CYHKhSoPtHokhAHKzToHfNCJHUHKL:iqPwjzCYqhSoPtIkeqzEV80qL
MD5:	86D99F43187ABC64D98D0CFBD6129657
SHA1:	DDBC054EA2A1A45954BF9F1AA7A9101F1FC73E74
SHA-256:	AAD7F90FFD624AD14D9D55E018280D188352B5D7792CFE300489586C0FC17B72
SHA-512:	8BDD6CE1E692F15F13FC80E99F019BBBBA7733A88ECCBD276D870A7FC9F42DD741C717702531784C3349A4775FE10296D1E5DEBCC396E8EEEFC7A16492E775BC
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\68e52ded8d0e73920808d8880ed14efd\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\6727d7bc35e330366d2e1724c31588d2\System.Drawing.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\62fe5fc1b5bafb28a19a2754318abf00\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\96b2b7229c43d2712ff1bf4906a723f6\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\

C:\Users\user\AppData\Local\Temp\downloadedFile.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	HTML document, ASCII text, with very long lines (8191)
Category:	dropped
Size (bytes):	57869
Entropy (8bit):	5.653565409612313
Encrypted:	false
SSDEEP:	768:rK41ocybUwZg8Pw7aBcQU9W38Eado4p1BRjrHuWn8oV615eqBhb3LnBY0CO/oxPF:rnoh6QU9Ws/+4p1BRjrHNnV015f3Nan
MD5:	DD2F1FE105DB35FD50DAF7AF0F9359C7
SHA1:	692B69BF8442D189B796FCE03284CCAF9A3D78EF
SHA-256:	C524F8E094B29E0888E1A4627760F55B5CBA30B6487BDE6D6A68018FBD14CF9D
SHA-512:	257E0841FD1E54137FEE7CB895BB91697EDF6CC8B57050F4492AE3F3C4B479E4D52F3CC6ED8895CC0B3E4A3D5B0B2BE84C3EBE216A761418887ACB0874C1376D
Malicious:	false
Preview:	<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script nonce="lwAh37qvl8k5Prvmrl_qFQ">(function(){var _g={kEI:'_ZsrZ9ejHeXE0PEP3Zm_sQ8',kEXPI:'0,3700293,1091,496886,41775,2872,2891,8349,64701,34266,162437,23024,6699,106648,16867,799,10161,23350,22436,9779,38677,23980,36747,3801,2412,33249,15816,1804,7734,18098,21250,340,1295,29276,27083,5213696,116,415,8831981,1567,1,78,24,1,6,1,7,2,4,1,5,1,21,2,7439373,119,16496111,4043709,16673,2169858,23029351,8163,4636,16436,84045,22622,885,14280,8182,5933,36873,6623,14243,9,4759,2655,3439,3319,2639,13

C:\Users\user\AppData\Local\Temp\tmp6926.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, user version 77, last written using SQLite version 3045002, page size 32768, writer version 2, read version 2, file counter 3, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.04195199897834991
Encrypted:	false
SSDEEP:	192:alcnAVh3MQsX2Ptp1wbKevO6M96nSPhR3fFaA6IMiBJV:alcnAPdsX2PtpCuXj6GX3cASu
MD5:	4220F8B5379D9A1CB29D88395F5080E8
SHA1:	731D28CB85F7C1C9DBA95C4A4E4B7BA7930268A4
SHA-256:	02D4577FECBAAE00E7A2C867F88A694F168A98FCF3153DE39108E1E0669D5401
SHA-512:	3B4205605B32BC182347EEF784C30E86760C902F711B7936854398FFA8599C1A86C462D7CE779AA83EE40C43306E650E92285CAE49D84B02DDDFEAE32D9563CA
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................M..................................v.....-a>.~...\|0{.{Zz.z.y.y.y.x.w.v.vvu.t.u.s.r.sAr0q.q.p.p.o@o.n.nLmrn.lHk.j{i.ijfEe.d.c.d.c@b.b'a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6927.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, user version 13, last written using SQLite version 3045002, page size 32768, writer version 2, read version 2, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	524288
Entropy (8bit):	0.027515372941387128
Encrypted:	false
SSDEEP:	24:D43S232mNVpP965RayKN0MG/lTUlRt6wWUlkcObl:DoS6rh9WTKlRswRlkf
MD5:	21C347A9181FE59AEAE85D756BA9354F
SHA1:	E774CBE8A1F814DE978A7071A31EDCBB6E08663E
SHA-256:	1A227EBBCD4D6AD950DBBD94142CAB32E8998E1B8812E6CCFE1BCAA3C5F8673A
SHA-512:	B950CEB3FDA3B72FF2807878633DBDCA087990252B957F410083C3F1A1C0CF4D9EACDA2294C385293A759469FAEAE1B834A9973BA3B35108A3F9ACB9527FFD0B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.041067992291744
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	L814CyOxMT.exe
File size:	2'430'976 bytes
MD5:	27e03cf0e06e2536b8bac6914d4c4cb5
SHA1:	535b3de99526f6957a13f1225ec60b1c17599383
SHA256:	9460f252a78ee97283975e9aa8aa6292b1674c7fe632914b3e09bdb3af56078e
SHA512:	0b6350c853a721f0f8679f6ded91d4fe59cbc1048b27b1588c528db1ddebf12045e28514250aec571c5a0334e2ea90bb224d1777055838be4d92d5b1f05b7ea5
SSDEEP:	24576:1sQ0jNLGEqVpBgyaq/L4f/20towvNhKTCpTK3I:1T82CT+
TLSH:	D2B56A06B991BA3FD209477AC46758D00BE4424D267BD70F2C4B12BEE52279BBC0FD5A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0...%.........^,%.. ...@%...@.. ........................%...........`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x652c5e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF6DB9E99 [Wed Mar 30 01:08:41 2101 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x252c10	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x254000	0x588	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x256000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x250c64	0x250e00	77ca1e9d8fece9edb9f418f53cccc947	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x254000	0x588	0x600	6ad2f5545bf9065d98c42722c558a1cc	False	0.4153645833333333	data	4.02029694755872	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x256000	0xc	0x200	166eb986739e863a2d31e7a650dfac27	False	0.044921875	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "%"	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x2540a0	0x2fc	data			0.43455497382198954
RT_MANIFEST	0x25439c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 6, 2024 17:40:28.447320938 CET	49870	443	192.168.11.30	142.250.81.238
Nov 6, 2024 17:40:28.447392941 CET	443	49870	142.250.81.238	192.168.11.30
Nov 6, 2024 17:40:28.447835922 CET	49870	443	192.168.11.30	142.250.81.238
Nov 6, 2024 17:40:28.459605932 CET	49870	443	192.168.11.30	142.250.81.238
Nov 6, 2024 17:40:28.459625959 CET	443	49870	142.250.81.238	192.168.11.30
Nov 6, 2024 17:40:28.682511091 CET	443	49870	142.250.81.238	192.168.11.30
Nov 6, 2024 17:40:28.682862043 CET	49870	443	192.168.11.30	142.250.81.238
Nov 6, 2024 17:40:28.683161020 CET	443	49870	142.250.81.238	192.168.11.30
Nov 6, 2024 17:40:28.683427095 CET	49870	443	192.168.11.30	142.250.81.238
Nov 6, 2024 17:40:28.687020063 CET	49870	443	192.168.11.30	142.250.81.238
Nov 6, 2024 17:40:28.687032938 CET	443	49870	142.250.81.238	192.168.11.30
Nov 6, 2024 17:40:28.687277079 CET	443	49870	142.250.81.238	192.168.11.30
Nov 6, 2024 17:40:28.731827021 CET	49870	443	192.168.11.30	142.250.81.238
Nov 6, 2024 17:40:28.734663963 CET	49870	443	192.168.11.30	142.250.81.238
Nov 6, 2024 17:40:28.776062965 CET	443	49870	142.250.81.238	192.168.11.30
Nov 6, 2024 17:40:28.953897953 CET	443	49870	142.250.81.238	192.168.11.30
Nov 6, 2024 17:40:28.953974009 CET	443	49870	142.250.81.238	192.168.11.30
Nov 6, 2024 17:40:28.954135895 CET	49870	443	192.168.11.30	142.250.81.238
Nov 6, 2024 17:40:28.959011078 CET	49870	443	192.168.11.30	142.250.81.238
Nov 6, 2024 17:40:29.068434954 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.068516970 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.068718910 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.068967104 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.069010973 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.312189102 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.312453985 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.313633919 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.313679934 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.314596891 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.315799952 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.356040955 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.611387014 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.611430883 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.611452103 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.611515045 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.611927986 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.611941099 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.612261057 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.620884895 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.626481056 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.626498938 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.626868963 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.626882076 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.627255917 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.633759975 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.641309977 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.641593933 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.641606092 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.684741020 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.718844891 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.718883991 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.718966007 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.719130993 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.719144106 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.719362974 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.725167036 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.732995987 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.733100891 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.733422041 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.733481884 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.733639956 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.744503975 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.748080015 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.748183012 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.748334885 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.748392105 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.748634100 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.755297899 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.769110918 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.769148111 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.769378901 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.769397974 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.769681931 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.770586014 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.776201963 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.776238918 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.776520014 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.776540041 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.776706934 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.784507036 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.793700933 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.793725967 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.793893099 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.793905020 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.794203043 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.797231913 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.804121971 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.804166079 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.804325104 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.804335117 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.804563046 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.821517944 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.824474096 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.824570894 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.824600935 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.824609041 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.824722052 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.824733973 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.831151009 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.831356049 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.831394911 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.841526985 CET	443	49871	142.251.40.132	192.168.11.30
Nov 6, 2024 17:40:29.841713905 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:29.842020035 CET	49871	443	192.168.11.30	142.251.40.132
Nov 6, 2024 17:40:41.943810940 CET	49872	80	192.168.11.30	104.16.185.241
Nov 6, 2024 17:40:42.046509981 CET	80	49872	104.16.185.241	192.168.11.30
Nov 6, 2024 17:40:42.046679974 CET	49872	80	192.168.11.30	104.16.185.241
Nov 6, 2024 17:40:42.046797991 CET	49872	80	192.168.11.30	104.16.185.241
Nov 6, 2024 17:40:42.156913042 CET	80	49872	104.16.185.241	192.168.11.30
Nov 6, 2024 17:40:42.174412012 CET	80	49872	104.16.185.241	192.168.11.30
Nov 6, 2024 17:40:42.229006052 CET	49872	80	192.168.11.30	104.16.185.241
Nov 6, 2024 17:40:44.521605968 CET	49873	443	192.168.11.30	150.171.28.10
Nov 6, 2024 17:40:44.521656036 CET	443	49873	150.171.28.10	192.168.11.30
Nov 6, 2024 17:40:44.521882057 CET	49873	443	192.168.11.30	150.171.28.10
Nov 6, 2024 17:40:44.524581909 CET	49873	443	192.168.11.30	150.171.28.10
Nov 6, 2024 17:40:44.524621964 CET	443	49873	150.171.28.10	192.168.11.30
Nov 6, 2024 17:40:44.860843897 CET	443	49873	150.171.28.10	192.168.11.30
Nov 6, 2024 17:40:44.861145020 CET	49873	443	192.168.11.30	150.171.28.10
Nov 6, 2024 17:40:44.862792015 CET	443	49873	150.171.28.10	192.168.11.30
Nov 6, 2024 17:40:44.862987995 CET	49873	443	192.168.11.30	150.171.28.10
Nov 6, 2024 17:40:44.897521973 CET	49873	443	192.168.11.30	150.171.28.10
Nov 6, 2024 17:40:44.897561073 CET	443	49873	150.171.28.10	192.168.11.30
Nov 6, 2024 17:40:44.898222923 CET	443	49873	150.171.28.10	192.168.11.30
Nov 6, 2024 17:40:44.898358107 CET	49873	443	192.168.11.30	150.171.28.10
Nov 6, 2024 17:40:44.900585890 CET	49873	443	192.168.11.30	150.171.28.10
Nov 6, 2024 17:40:44.944039106 CET	443	49873	150.171.28.10	192.168.11.30
Nov 6, 2024 17:40:45.069073915 CET	443	49873	150.171.28.10	192.168.11.30
Nov 6, 2024 17:40:45.069195032 CET	443	49873	150.171.28.10	192.168.11.30
Nov 6, 2024 17:40:45.069353104 CET	49873	443	192.168.11.30	150.171.28.10
Nov 6, 2024 17:40:45.069463968 CET	49873	443	192.168.11.30	150.171.28.10
Nov 6, 2024 17:40:45.069463968 CET	49873	443	192.168.11.30	150.171.28.10
Nov 6, 2024 17:40:45.069502115 CET	443	49873	150.171.28.10	192.168.11.30
Nov 6, 2024 17:40:45.069534063 CET	49873	443	192.168.11.30	150.171.28.10
Nov 6, 2024 17:40:45.069669962 CET	49873	443	192.168.11.30	150.171.28.10
Nov 6, 2024 17:40:45.805437088 CET	49875	443	192.168.11.30	150.171.28.10
Nov 6, 2024 17:40:45.805486917 CET	443	49875	150.171.28.10	192.168.11.30
Nov 6, 2024 17:40:45.805730104 CET	49875	443	192.168.11.30	150.171.28.10
Nov 6, 2024 17:40:45.805890083 CET	49875	443	192.168.11.30	150.171.28.10
Nov 6, 2024 17:40:45.805921078 CET	443	49875	150.171.28.10	192.168.11.30
Nov 6, 2024 17:40:46.129395962 CET	443	49875	150.171.28.10	192.168.11.30
Nov 6, 2024 17:40:46.129551888 CET	49875	443	192.168.11.30	150.171.28.10
Nov 6, 2024 17:40:46.129883051 CET	49875	443	192.168.11.30	150.171.28.10
Nov 6, 2024 17:40:46.129904985 CET	443	49875	150.171.28.10	192.168.11.30
Nov 6, 2024 17:40:46.130095959 CET	49875	443	192.168.11.30	150.171.28.10
Nov 6, 2024 17:40:46.130117893 CET	443	49875	150.171.28.10	192.168.11.30
Nov 6, 2024 17:40:46.351320982 CET	443	49875	150.171.28.10	192.168.11.30
Nov 6, 2024 17:40:46.351361036 CET	443	49875	150.171.28.10	192.168.11.30
Nov 6, 2024 17:40:46.351490974 CET	49875	443	192.168.11.30	150.171.28.10
Nov 6, 2024 17:40:46.351574898 CET	49875	443	192.168.11.30	150.171.28.10
Nov 6, 2024 17:40:46.351574898 CET	49875	443	192.168.11.30	150.171.28.10
Nov 6, 2024 17:40:46.351587057 CET	443	49875	150.171.28.10	192.168.11.30
Nov 6, 2024 17:40:46.351725101 CET	49875	443	192.168.11.30	150.171.28.10
Nov 6, 2024 17:40:49.299943924 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:49.546092987 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:49.546315908 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:49.552542925 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:49.552598000 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:49.798690081 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:49.798945904 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:49.798993111 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:49.799166918 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:49.799344063 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.045526028 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.045541048 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.045548916 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.045557976 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.045734882 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.045908928 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.045980930 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.046075106 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.046252012 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.046252966 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.046427011 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.046591043 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.046761990 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.291912079 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.291919947 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.291992903 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.292074919 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.292241096 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.292408943 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.292736053 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.292911053 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.293116093 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.293165922 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.293206930 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.293457031 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.293636084 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.293639898 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.293735027 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.293800116 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.293920040 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.293962002 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.294131041 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.294137001 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.294229984 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.294306040 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.294640064 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.294800043 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.538147926 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.538181067 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.538367033 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.538542986 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.538779020 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.538808107 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.538934946 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.539027929 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.539031029 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.539122105 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.539208889 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.539361954 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.539381981 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.539540052 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.539635897 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.539659023 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.539714098 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.539880037 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.540020943 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.540225983 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.540296078 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.540318966 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.540411949 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.540472031 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.540493011 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.540577888 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.540586948 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.540755033 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.540934086 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.541095018 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.541127920 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.541243076 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.541254044 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.541394949 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.541560888 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.541742086 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.541929007 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.542377949 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.542500973 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.542603970 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.542788982 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.542946100 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.543118954 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.784846067 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.784905910 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.784949064 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.784979105 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.784998894 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.785088062 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.785269976 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.785381079 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.785434961 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.785595894 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.785701990 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.785804033 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.785877943 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.786031008 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.786205053 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.786228895 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.786269903 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.786293030 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.786341906 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.786669016 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.786683083 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.786763906 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.786783934 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.786899090 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.787008047 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.787048101 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.787069082 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.787161112 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.787195921 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.787246943 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.787269115 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.787461042 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.787623882 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.787655115 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.787659883 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.787723064 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.787801981 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.787847042 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.787992954 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.788039923 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.788172007 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.788355112 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.788398981 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.788420916 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.788485050 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.788654089 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.788678885 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.788722038 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.788765907 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.789064884 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.789103985 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.789247990 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.789262056 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.789343119 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.789402008 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.789577007 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.789628029 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.789664030 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.789710999 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.789861917 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.789876938 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.789988041 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.790009975 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.790102005 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.790101051 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.790209055 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.790249109 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.790544033 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.790565014 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.790585995 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.790736914 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.790751934 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.790791988 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.790914059 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.791018963 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.791063070 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.791074038 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.791239023 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.791296005 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.791337967 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.791378021 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.791454077 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.791598082 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.791794062 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.791940928 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.792049885 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.792094946 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.792130947 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.792134047 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.792175055 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.792285919 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.792326927 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.792366028 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.792370081 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.792594910 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.792753935 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.792881012 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:50.793375969 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:50.793564081 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.031266928 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.031301975 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.031470060 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.031642914 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.031682014 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.031711102 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.031730890 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.031800032 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.031820059 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.031840086 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.031858921 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.031950951 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.032011986 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.032140017 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.032147884 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.032321930 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.032423019 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.032484055 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.032655001 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.032702923 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.032795906 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.032845020 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.032866955 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.032960892 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.032968998 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.032980919 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.033137083 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.033339977 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.033478022 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.033519030 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.033740997 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.033941984 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.034168005 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.034287930 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.035923958 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.035970926 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.036001921 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.036087036 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.036117077 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.036310911 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.036483049 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.036607981 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.036789894 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.038065910 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.038094997 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.038204908 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.038384914 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.038580894 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.038609982 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.038677931 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.038815022 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.039000988 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.039132118 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.039156914 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.039161921 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.039175987 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.039196968 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.039328098 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.039416075 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.039505005 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.039669037 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.039699078 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.039720058 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.039737940 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.039798021 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.039818048 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.039982080 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.040153980 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.040318012 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.040338039 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.040358067 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.040514946 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.040534973 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.040636063 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.040657997 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.040678024 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.040857077 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.040894985 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.040985107 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.041053057 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.041152954 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.041271925 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.041291952 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.041312933 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.041316986 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.041332006 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.041558981 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.041579962 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.041599035 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.041702032 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.041819096 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.041863918 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.041944981 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.042018890 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.042164087 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.042184114 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.042191982 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.042308092 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.042366982 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.042587042 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.042607069 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.042625904 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.042682886 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.042783022 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.042804003 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.042851925 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.042959929 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.043016911 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.043052912 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.043175936 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.043231010 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.043396950 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.043550968 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.043673992 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.043694019 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.043715954 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.043874025 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.043951035 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.044086933 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.044189930 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.044209003 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.044284105 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.044306040 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.044555902 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.044589043 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.044610023 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.044668913 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.044748068 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.044918060 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.044950008 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.045043945 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.045061111 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.045063019 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.045236111 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.045315981 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.045428991 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.045533895 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.045608044 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.045738935 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.045815945 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.045838118 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.045856953 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.045917034 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.046089888 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.046200037 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.046293020 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.046330929 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.046483040 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.046652079 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.046864033 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.046885014 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.046943903 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.046963930 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.047058105 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.047281027 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.047372103 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.047393084 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.047485113 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.047548056 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.047569036 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.047646046 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.047822952 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.047972918 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.048175097 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.277736902 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.277762890 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.277961969 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.278007984 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.278136015 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.278141022 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.278161049 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.278239012 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.278309107 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.278469086 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.278477907 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.278650999 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.278819084 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.279084921 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.279109001 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.279125929 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.279143095 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.279159069 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.279175043 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.279191017 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.279320955 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.279458046 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.279491901 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.279536009 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.279553890 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.279656887 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.279681921 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.279732943 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.279836893 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.279863119 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.279880047 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.280015945 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.280142069 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.280173063 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.280249119 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.280266047 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.280356884 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.280462980 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.280503035 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.280647993 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.280653000 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.280667067 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.280683041 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.280699968 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.280985117 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.281164885 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.281230927 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.281248093 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.281265020 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.281280994 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.281296968 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.281375885 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.281492949 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.281644106 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.281661987 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.281672955 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.281677961 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.281867981 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.282035112 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.282138109 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.282155991 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.282196045 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.282361031 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.282538891 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.282640934 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.282658100 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.282675028 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.282686949 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.282691002 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.282707930 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.282723904 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.283035040 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.283176899 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.283195972 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.283198118 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.283246040 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.283262968 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.283632994 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.283646107 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.283649921 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.283806086 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.283976078 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.283982038 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.284001112 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.284017086 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.284034014 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.284085989 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.284162045 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.284244061 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.284320116 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.284348011 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.284452915 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.284487009 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.284661055 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.284804106 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.284832954 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.284849882 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.284866095 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.284979105 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.285051107 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.285068989 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.285145044 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.285229921 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.285339117 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.285504103 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.285676003 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.285809994 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.285826921 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.286137104 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.286144972 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.286163092 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.286315918 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.286401033 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.286485910 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.286565065 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.286581993 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.286598921 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.286652088 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.286993027 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.287130117 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.287147045 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.287159920 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.287332058 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.287463903 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.287523031 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.287729025 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.287745953 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.287964106 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.288232088 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.288336039 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.288712978 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.288729906 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.288834095 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.288852930 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.288868904 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.289499998 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.289896011 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.289921999 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.289942026 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.289958954 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.289974928 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.290143013 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.290170908 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.290188074 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.290555000 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.291054964 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.291117907 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.291292906 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.291475058 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.291682959 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.291817904 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.292087078 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.292114973 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.292800903 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.292819023 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.293020964 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.293209076 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.293525934 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.293737888 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.293765068 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.293782949 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.293940067 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.294326067 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.294727087 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.295485973 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.295537949 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.295557022 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.295732021 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.295759916 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.296263933 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.296329975 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.296509027 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.296646118 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.296673059 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.296689987 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.296708107 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.296725988 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.296885014 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.297204018 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.297224045 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.297375917 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.297518969 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.297956944 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.297976017 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.298491955 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.300189018 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.300215960 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.300425053 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.300451994 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.300471067 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.300487041 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.301656008 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.301683903 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.301923037 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.301949024 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.301966906 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.302871943 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.302901030 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.302917957 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.302934885 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.303076982 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.303833008 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.304831028 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.305455923 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.306005001 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.306030989 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.306049109 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.306066036 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.306082964 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.306098938 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.306829929 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.307503939 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.307730913 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.307867050 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.308212042 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.524040937 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.524089098 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.524600029 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.524638891 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.525072098 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.525568008 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.525816917 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.525844097 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.525861025 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.525877953 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.527410984 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.527450085 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.527779102 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.528589964 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.528626919 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.528661013 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.528695107 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.529126883 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.530165911 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.530206919 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.530241013 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.530275106 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.530308962 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.530344009 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.530378103 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.530411959 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.530447006 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.531222105 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.531253099 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.531286001 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.532490015 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.536456108 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.536495924 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.536531925 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.536564112 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.536596060 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.536629915 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.536664963 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.536699057 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.536734104 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.536767006 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.536798954 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.537059069 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.537097931 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.537132978 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.537167072 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.537792921 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.537817955 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.537928104 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.537966967 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.538002968 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.538038969 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.538072109 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.538105965 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.538140059 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.538515091 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.538552046 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.538573027 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.538589001 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.538605928 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.539364100 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.539405107 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.539438963 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.539458990 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.539475918 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.539491892 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.539509058 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.539952993 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.540010929 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.540045977 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.540079117 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.540112972 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.540147066 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.540751934 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.540791035 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.540823936 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.540857077 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.540891886 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.540925026 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.541289091 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.541318893 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.541351080 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.541384935 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.541415930 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.541449070 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.541485071 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.541516066 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.541743994 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.542254925 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.542293072 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.542326927 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.542362928 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.542397022 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.542431116 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.542465925 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.542656898 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.542678118 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.542695999 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.542711020 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.542727947 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.542745113 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.543412924 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.543452024 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.543483973 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.543514967 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.543548107 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.543581963 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.543617964 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.543653011 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.543759108 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.543797016 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.543832064 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.543865919 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.543899059 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.543931961 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.543979883 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.544020891 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.544054031 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.544087887 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.544121027 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.544153929 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.544188976 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.544958115 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.559457064 CET	9929	49876	89.23.100.233	192.168.11.30
Nov 6, 2024 17:40:51.573282957 CET	49876	9929	192.168.11.30	89.23.100.233
Nov 6, 2024 17:40:51.573447943 CET	49872	80	192.168.11.30	104.16.185.241

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 6, 2024 17:40:28.332878113 CET	56527	53	192.168.11.30	1.1.1.1
Nov 6, 2024 17:40:28.442192078 CET	53	56527	1.1.1.1	192.168.11.30
Nov 6, 2024 17:40:28.960758924 CET	52822	53	192.168.11.30	1.1.1.1
Nov 6, 2024 17:40:29.067568064 CET	53	52822	1.1.1.1	192.168.11.30
Nov 6, 2024 17:40:41.838171005 CET	57467	53	192.168.11.30	1.1.1.1
Nov 6, 2024 17:40:41.943135977 CET	53	57467	1.1.1.1	192.168.11.30
Nov 6, 2024 17:40:42.181493044 CET	57696	53	192.168.11.30	1.1.1.1
Nov 6, 2024 17:40:42.289108038 CET	53	57696	1.1.1.1	192.168.11.30

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 6, 2024 17:40:28.332878113 CET	192.168.11.30	1.1.1.1	0xdcf7	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
Nov 6, 2024 17:40:28.960758924 CET	192.168.11.30	1.1.1.1	0xc90e	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Nov 6, 2024 17:40:41.838171005 CET	192.168.11.30	1.1.1.1	0x8b42	Standard query (0)	icanhazip.com	A (IP address)	IN (0x0001)	false
Nov 6, 2024 17:40:42.181493044 CET	192.168.11.30	1.1.1.1	0x9c86	Standard query (0)	13.169.14.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 6, 2024 17:40:28.442192078 CET	1.1.1.1	192.168.11.30	0xdcf7	No error (0)	google.com		142.250.81.238	A (IP address)	IN (0x0001)	false
Nov 6, 2024 17:40:29.067568064 CET	1.1.1.1	192.168.11.30	0xc90e	No error (0)	www.google.com		142.251.40.132	A (IP address)	IN (0x0001)	false
Nov 6, 2024 17:40:41.943135977 CET	1.1.1.1	192.168.11.30	0x8b42	No error (0)	icanhazip.com		104.16.185.241	A (IP address)	IN (0x0001)	false
Nov 6, 2024 17:40:41.943135977 CET	1.1.1.1	192.168.11.30	0x8b42	No error (0)	icanhazip.com		104.16.184.241	A (IP address)	IN (0x0001)	false
Nov 6, 2024 17:40:42.289108038 CET	1.1.1.1	192.168.11.30	0x9c86	Name error (3)	13.169.14.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Nov 6, 2024 17:40:44.519829035 CET	1.1.1.1	192.168.11.30	0x9e7c	No error (0)	g-bing-com.ax-0001.ax-msedge.net	ax-0001.ax-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 6, 2024 17:40:44.519829035 CET	1.1.1.1	192.168.11.30	0x9e7c	No error (0)	ax-0001.ax-msedge.net		150.171.28.10	A (IP address)	IN (0x0001)	false
Nov 6, 2024 17:40:44.519829035 CET	1.1.1.1	192.168.11.30	0x9e7c	No error (0)	ax-0001.ax-msedge.net		150.171.27.10	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

google.com

www.google.com

icanhazip.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.30	49872	104.16.185.241	80	2752	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Nov 6, 2024 17:40:42.046797991 CET	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Nov 6, 2024 17:40:42.174412012 CET	537	IN	HTTP/1.1 200 OK Date: Wed, 06 Nov 2024 16:40:42 GMT Content-Type: text/plain Content-Length: 15 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=6eTfAwrWtna51bUcZBSBPZVJAdl2DXkis9yEui.QAF8-1730911242-1.0.1.1-1ISml7u6jgxsQ4eiKbi1KMIcDCvWovqejgMJQc7v9XWIiww5wtcA74kqXR4WA4kovekgnVeu.M32uQ3Pnq_y8w; path=/; expires=Wed, 06-Nov-24 17:10:42 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 8de686df2b778c54-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 31 35 36 2e 31 34 36 2e 33 36 2e 32 30 38 0a Data Ascii: 156.146.36.208

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.30	49870	142.250.81.238	443	2752	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-06 16:40:28 UTC	60	OUT	GET / HTTP/1.1 Host: google.com Connection: Keep-Alive
2024-11-06 16:40:28 UTC	631	IN	HTTP/1.1 301 Moved Permanently Location: https://www.google.com/ Content-Type: text/html; charset=UTF-8 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-pE23HvybzYBb2Igy5kpaNQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp Date: Wed, 06 Nov 2024 16:40:28 GMT Expires: Fri, 06 Dec 2024 16:40:28 GMT Cache-Control: public, max-age=2592000 Server: gws Content-Length: 220 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-11-06 16:40:28 UTC	220	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>301 Moved</TITLE></HEAD><BODY><H1>301 Moved</H1>The document has moved<A HREF="https://www.google.com/">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.30	49871	142.251.40.132	443	2752	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-06 16:40:29 UTC	64	OUT	GET / HTTP/1.1 Host: www.google.com Connection: Keep-Alive
2024-11-06 16:40:29 UTC	1191	IN	HTTP/1.1 200 OK Date: Wed, 06 Nov 2024 16:40:29 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-lwAh37qvl8k5Prvmrl_qFQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp Accept-CH: Sec-CH-Prefers-Color-Scheme P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: AEC=AVYB7cqtlzYfhSsnN6dAiuEDd1xsB3yIrzRxO52INHIT3TEMe3jKpQg6YAI; expires=Mon, 05-May-2025 16:40:29 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax Set-Cookie: NID=518=PVv4-QddX4OGqUXOfooVRKcZVRji9M9PuXBIsTUE3TENuoZotrjTmUU8upbimKNeWufspL1aSDsJkAEvWNSD-OxnsnXBD1ey-lsJracqo0HjfmqOXPl5roe3TroxTAQUG7AjwxlsLuhJuHc353j3au1vU5IAeBUbfAxmSf0nuNxgLOhR4kGnWPK22U_ccPly3EQcByGSMA; expires=Thu, 08-May-2025 16:40:29 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-11-06 16:40:29 UTC	64	IN	Data Raw: 35 33 30 30 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e Data Ascii: 5300<!doctype html><html itemscope="" itemtype="http://schema.
2024-11-06 16:40:29 UTC	1255	IN	Data Raw: 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 6f 64 70 2c 20 22 20 6e 61 6d 65 3d 22 72 Data Ascii: org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="r
2024-11-06 16:40:29 UTC	1255	IN	Data Raw: 31 2c 33 33 38 2c 31 2c 33 2c 33 33 30 2c 33 31 34 2c 31 2c 33 30 2c 33 38 30 2c 31 2c 31 31 31 34 2c 31 32 31 31 2c 38 38 2c 32 31 36 2c 32 36 32 2c 33 2c 32 30 30 2c 39 38 36 2c 33 39 37 2c 34 36 2c 31 2c 32 35 2c 31 2c 36 31 2c 31 37 36 32 2c 33 32 34 39 2c 34 37 32 2c 35 33 30 33 2c 31 34 35 34 2c 31 39 37 2c 31 2c 36 2c 32 31 30 2c 33 38 38 34 2c 38 35 37 2c 34 36 30 2c 33 30 2c 32 2c 32 31 37 38 2c 33 2c 35 36 31 2c 31 36 34 38 2c 35 34 30 2c 37 32 34 2c 33 39 31 2c 32 30 33 34 2c 33 39 2c 31 37 2c 33 2c 31 33 33 2c 38 39 35 2c 33 2c 37 2c 31 34 39 2c 36 34 39 2c 31 33 36 33 2c 31 37 36 35 2c 35 36 2c 31 37 35 34 2c 31 35 35 34 2c 33 30 31 2c 31 30 39 2c 31 36 34 2c 33 33 30 2c 38 39 2c 32 33 2c 36 2c 39 2c 32 33 33 2c 31 2c 32 39 2c 35 33 33 2c 31 Data Ascii: 1,338,1,3,330,314,1,30,380,1,1114,1211,88,216,262,3,200,986,397,46,1,25,1,61,1762,3249,472,5303,1454,197,1,6,210,3884,857,460,30,2,2178,3,561,1648,540,724,391,2034,39,17,3,133,895,3,7,149,649,1363,1765,56,1754,1554,301,109,164,330,89,23,6,9,233,1,29,533,1
2024-11-06 16:40:29 UTC	1255	IN	Data Raw: 68 74 74 70 3a 2f 69 2e 74 65 73 74 28 61 29 26 26 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 3d 3d 3d 22 68 74 74 70 73 3a 22 26 26 28 67 6f 6f 67 6c 65 2e 6d 6c 26 26 67 6f 6f 67 6c 65 2e 6d 6c 28 45 72 72 6f 72 28 22 61 22 29 2c 21 31 2c 7b 73 72 63 3a 61 2c 67 6c 6d 6d 3a 31 7d 29 2c 61 3d 22 22 29 3b 72 65 74 75 72 6e 20 61 7d 0a 66 75 6e 63 74 69 6f 6e 20 74 28 61 2c 62 2c 63 2c 64 2c 6b 29 7b 76 61 72 20 65 3d 22 22 3b 62 2e 73 65 61 72 63 68 28 22 26 65 69 3d 22 29 3d 3d 3d 2d 31 26 26 28 65 3d 22 26 65 69 3d 22 2b 70 28 64 29 2c 62 2e 73 65 61 72 63 68 28 22 26 6c 65 69 3d 22 29 3d 3d 3d 2d 31 26 26 28 64 3d 71 28 64 29 29 26 26 28 65 2b 3d 22 26 6c 65 69 3d 22 2b 64 29 29 3b 64 3d 22 22 3b 76 61 72 20 67 3d 62 2e 73 Data Ascii: http:/i.test(a)&&window.location.protocol==="https:"&&(google.ml&&google.ml(Error("a"),!1,{src:a,glmm:1}),a="");return a}function t(a,b,c,d,k){var e="";b.search("&ei=")===-1&&(e="&ei="+p(d),b.search("&lei=")===-1&&(d=q(d))&&(e+="&lei="+d));d="";var g=b.s
2024-11-06 16:40:29 UTC	1255	IN	Data Raw: 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 5b 61 5d 2c 62 2c 63 5d 29 7d 29 3b 76 61 72 20 68 3b 28 68 3d 67 6f 6f 67 6c 65 29 2e 6c 6f 61 64 41 6c 6c 7c 7c 28 68 2e 6c 6f 61 64 41 6c 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 67 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 29 3b 67 6f 6f 67 6c 65 2e 62 78 3d 21 31 3b 76 61 72 20 6b 3b 28 6b 3d 67 6f 6f 67 6c 65 29 2e 6c 78 7c 7c 28 6b 2e 6c 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 29 3b 76 61 72 20 6c 3d 5b 5d 2c 6d 3b 28 6d 3d 67 6f 6f 67 6c 65 29 2e 66 63 65 7c 7c 28 6d 2e 66 63 65 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 6e 29 7b 6c 2e 70 75 73 68 28 5b 61 2c 62 2c 63 2c 6e 5d 29 7d 29 3b 67 6f 6f 67 6c 65 2e 71 63 65 3d 6c 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b Data Ascii: oogle.lq.push([[a],b,c])});var h;(h=google).loadAll\|\|(h.loadAll=function(a,b){google.lq.push([a,b])});google.bx=!1;var k;(k=google).lx\|\|(k.lx=function(){});var l=[],m;(m=google).fce\|\|(m.fce=function(a,b,c,n){l.push([a,b,c,n])});google.qce=l;}).call(this);
2024-11-06 16:40:29 UTC	1255	IN	Data Raw: 69 7a 65 3a 32 34 70 78 3b 68 65 69 67 68 74 3a 32 39 70 78 3b 5f 68 65 69 67 68 74 3a 33 30 70 78 3b 6f 70 61 63 69 74 79 3a 31 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 31 30 30 29 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 30 3b 77 69 64 74 68 3a 31 30 30 25 3b 7a 2d 69 6e 64 65 78 3a 39 39 30 7d 23 67 62 78 33 7b 6c 65 66 74 3a 30 7d 23 67 62 78 34 7b 72 69 67 68 74 3a 30 7d 23 67 62 62 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 23 67 62 62 77 7b 6c 65 66 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 33 30 70 78 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 67 62 74 63 62 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 Data Ascii: ize:24px;height:29px;_height:30px;opacity:1;filter:alpha(opacity=100);position:absolute;top:0;width:100%;z-index:990}#gbx3{left:0}#gbx4{right:0}#gbb{position:relative}#gbbw{left:0;position:absolute;top:30px;width:100%}.gbtcb{position:absolute;visibility:h
2024-11-06 16:40:29 UTC	1255	IN	Data Raw: 73 70 61 72 65 6e 74 3b 62 6f 72 64 65 72 2d 74 6f 70 2d 63 6f 6c 6f 72 3a 23 63 30 63 30 63 30 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 68 65 69 67 68 74 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 30 3b 77 69 64 74 68 3a 30 3b 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 33 70 78 20 33 70 78 20 30 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 70 78 3b 6c 65 66 74 3a 34 70 78 7d 23 67 62 7a 74 6d 73 31 2c 23 67 62 69 34 6d 31 2c 23 67 62 69 34 73 2c 23 67 62 69 34 74 7b 7a 6f 6f 6d 3a 31 7d 2e 67 62 74 63 2c 2e 67 62 6d 63 2c 2e 67 62 6d 63 63 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6c 69 73 74 2d 73 74 79 6c 65 3a 6e 6f 6e 65 Data Ascii: sparent;border-top-color:#c0c0c0;display:-moz-inline-box;display:inline-block;font-size:0;height:0;line-height:0;width:0;border-width:3px 3px 0;padding-top:1px;left:4px}#gbztms1,#gbi4m1,#gbi4s,#gbi4t{zoom:1}.gbtc,.gbmc,.gbmcc{display:block;list-style:none
2024-11-06 16:40:29 UTC	1255	IN	Data Raw: 2e 67 62 74 62 20 2e 67 62 74 73 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 5f 38 64 35 61 66 63 30 39 2e 70 6e 67 29 3b 5f 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 38 5f 33 36 31 35 64 36 34 64 2e 70 6e 67 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 2d 32 37 70 78 20 2d 32 32 70 78 3b 62 6f 72 64 65 72 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 70 61 64 64 69 6e 67 3a 32 39 70 78 20 30 20 30 3b 2a 70 61 64 64 69 6e 67 3a 32 37 70 78 20 30 20 30 3b 77 69 64 74 68 3a 31 70 78 7d 2e 67 62 7a 74 3a 68 6f 76 65 72 2c 2e Data Ascii: .gbtb .gbts{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);background-position:-27px -22px;border:0;font-size:0;padding:29px 0 0;*padding:27px 0 0;width:1px}.gbzt:hover,.
2024-11-06 16:40:29 UTC	1255	IN	Data Raw: 35 7b 70 61 64 64 69 6e 67 3a 35 70 78 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 74 6f 20 23 67 62 67 73 35 7b 70 61 64 64 69 6e 67 3a 37 70 78 20 35 70 78 20 36 70 78 20 21 69 6d 70 6f 72 74 61 6e 74 7d 23 67 62 69 35 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 5f 38 64 35 61 66 63 30 39 2e 70 6e 67 29 3b 5f 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 38 5f 33 36 31 35 64 36 34 64 2e 70 6e 67 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 30 20 30 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 66 6f 6e 74 2d 73 69 7a 65 3a Data Ascii: 5{padding:5px !important}.gbto #gbgs5{padding:7px 5px 6px !important}#gbi5{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);background-position:0 0;display:block;font-size:
2024-11-06 16:40:29 UTC	1255	IN	Data Raw: 77 65 69 67 68 74 3a 62 6f 6c 64 7d 2e 67 62 6d 68 7b 62 6f 72 64 65 72 2d 74 6f 70 3a 31 70 78 20 73 6f 6c 69 64 20 23 62 65 62 65 62 65 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 7d 23 67 62 64 34 20 2e 67 62 6d 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 35 66 35 66 35 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 30 7d 23 67 62 64 34 20 2e 67 62 73 62 69 63 3a 3a 2d 77 65 62 6b 69 74 2d 73 63 72 6f 6c 6c 62 61 72 2d 74 72 61 63 6b 3a 76 65 72 74 69 63 61 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 35 66 35 66 35 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 70 78 7d 23 67 62 6d 70 64 76 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 Data Ascii: weight:bold}.gbmh{border-top:1px solid #bebebe;font-size:0;margin:10px 0}#gbd4 .gbmc{background:#f5f5f5;padding-top:0}#gbd4 .gbsbic::-webkit-scrollbar-track:vertical{background-color:#f5f5f5;margin-top:2px}#gbmpdv{background:#fff;border-bottom:1px solid #

Target ID:	0
Start time:	11:40:27
Start date:	06/11/2024
Path:	C:\Users\user\Desktop\L814CyOxMT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\L814CyOxMT.exe"
Imagebase:	0x890000
File size:	2'430'976 bytes
MD5 hash:	27E03CF0E06E2536B8BAC6914D4C4CB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.886810697587.0000000003045000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.886802463927.0000000000892000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.886802463927.0000000000892000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:40:27
Start date:	06/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0xca0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FleshStealer, Description: Yara detected Flesh Stealer, Source: 00000002.00000002.887052638593.0000000004DB3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FleshStealer, Description: Yara detected Flesh Stealer, Source: 00000002.00000002.887045237055.00000000033BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FleshStealer, Description: Yara detected Flesh Stealer, Source: 00000002.00000002.887052638593.0000000004F89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:40:29
Start date:	06/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All
Imagebase:	0xb50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:40:29
Start date:	06/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6e8110000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:40:29
Start date:	06/11/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x490000
File size:	12'800 bytes
MD5 hash:	41146159AA3D41A92B53ED311EE15693
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:40:29
Start date:	06/11/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show profiles
Imagebase:	0xa90000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:40:29
Start date:	06/11/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr All
Imagebase:	0xbb0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 013F79CC Relevance: 2.6, Strings: 1, Instructions: 1338COMMON

Download Yara Rule

Strings

2, xrefs: 013F89B3

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: 793485c890029abc30312a8d8a6e27cbdcb5a3dbf80d68793eeeae95cf5ff108
Instruction ID: eb718cf303b6bf23c69a0a547b4c71075692cedafd666f41c517eabf9b61b1ef
Opcode Fuzzy Hash: 793485c890029abc30312a8d8a6e27cbdcb5a3dbf80d68793eeeae95cf5ff108
Instruction Fuzzy Hash: 57E2F274A00228CFDB69DF68D984B9EBBB6FB88305F5081E9D919A7354DB345E81CF40

Function 013F4290 Relevance: 2.3, Strings: 1, Instructions: 1006COMMON

Download Yara Rule

Strings

UUUU, xrefs: 013F475D

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: 741171ad4f3f36f639c812d4c461c5691e4e30b3cdc2f84812f3981d777e8788
Instruction ID: 563e9dcbbd86c5d635f409bbbe4c9bfeafb7c689cdd20773294e26852d0faf76
Opcode Fuzzy Hash: 741171ad4f3f36f639c812d4c461c5691e4e30b3cdc2f84812f3981d777e8788
Instruction Fuzzy Hash: 9EB2B275A00228CFDB65CF69C984B99BBB2FF89304F1581E9D509AB325DB319E81CF50

Function 013F9338 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30ffab6070fa883b64e17d1d7427e0eb7988493b21d41f05aa6e5a93de5f00c4
Instruction ID: a42efaf5916523fe45ce5ec196334e356e84b21b4c822515d5138a1eac461d2d
Opcode Fuzzy Hash: 30ffab6070fa883b64e17d1d7427e0eb7988493b21d41f05aa6e5a93de5f00c4
Instruction Fuzzy Hash: 6452D474A10229CFDB64DF28C984B9ABBB6FB88305F5481D9D90DA7355DB30AE80CF50

Function 05538628 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de4876244d53153f3b9af60c55e2330ae7ef126910db6591652677e9851a964c
Instruction ID: b257a16dd7d711d198f58f8eaaa86cd8025fc7d806cb3174b11bdfe8c34ab7ab
Opcode Fuzzy Hash: de4876244d53153f3b9af60c55e2330ae7ef126910db6591652677e9851a964c
Instruction Fuzzy Hash: 9AB1E770E01248DFCB59DFA9D456BADBBF2FB49304F508469E819AB390DB389985CF10

Function 05538638 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5bf1f7c61003ed2ed0ab73ce7b78c24c800b297d57eb5ba895dc19b145932ad
Instruction ID: e6f03974aa350a80b8380550365898d5e4182a732451e9c05d830558e53316b9
Opcode Fuzzy Hash: c5bf1f7c61003ed2ed0ab73ce7b78c24c800b297d57eb5ba895dc19b145932ad
Instruction Fuzzy Hash: 56A1D770A01208DFCB59DFA9D055BADBBF2FB49304F508469E81AAB390DB789985CF50

Function 013FCF00 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12877eaefc7c5d614fa1c639aaa672b66f88c755850cc0f2daa33ab09e9da607
Instruction ID: 47a29e9b5bd46decbbf19cf0562373997403b4bcc5ad88fea90bd0f4d5275df8
Opcode Fuzzy Hash: 12877eaefc7c5d614fa1c639aaa672b66f88c755850cc0f2daa33ab09e9da607
Instruction Fuzzy Hash: C851EA75E10218CFDB24CFA9C984A9DBBF6FF88314F1491A9D518A7366D7309946CF40

Function 013F5A80 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

djo, xrefs: 013F5ABA

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID: djo
API String ID: 0-647929198
Opcode ID: 417275b1dd8b8874d3c84df52abbba46642d6631d8d841c3e86348c51115c730
Instruction ID: d56ccd9491fef58bf256a0713321ed22d64862bf4bebf148875a71c90a4a7a48
Opcode Fuzzy Hash: 417275b1dd8b8874d3c84df52abbba46642d6631d8d841c3e86348c51115c730
Instruction Fuzzy Hash: DF011334E002088BDF08EFA9D5046ECBBF5AB8A214F14802AD515B7250DB322E568B25

Function 013F5A71 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

djo, xrefs: 013F5ABA

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID: djo
API String ID: 0-647929198
Opcode ID: 314e5046155d7b27c3a9a0e7ae76ae56b58a0c74ffcbbaaf8448dbd1cc48e0ad
Instruction ID: 5531e9051dee9bddd0ada724c324b0aabf7179d946db1993eef120a7ea4a07f2
Opcode Fuzzy Hash: 314e5046155d7b27c3a9a0e7ae76ae56b58a0c74ffcbbaaf8448dbd1cc48e0ad
Instruction Fuzzy Hash: D9018B30D002088BDF09DFA9D6042DCBBF0FB8A204F14817AD514A2640DB362E56CB51

Function 0553AA4D Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

+, xrefs: 0553A77E

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: d5b4823eb38e6dc9f3903501fd2bf7ea92b90543926e4c77053d09354d61d669
Instruction ID: d50a2dcb6bf6d24397ad29fd09987c0ca3133fb00f5814bef96ac109c2abcbf7
Opcode Fuzzy Hash: d5b4823eb38e6dc9f3903501fd2bf7ea92b90543926e4c77053d09354d61d669
Instruction Fuzzy Hash: 6D01ABB094622DCEDB20DF68C9997EDBBB2BB48305F2005D9C40DA2240D7B55E88CF84

Function 013F15EA Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

, xrefs: 013F1650

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 80b29dd439942fc0b68dc61d4c3827a342016cbfaa6845e8a6e7c0495e471df2
Instruction ID: 86e3d8374ffe1401ddd9b8ea26eb7bdd6e9dfa10c0157c1beeb5ad740c96e077
Opcode Fuzzy Hash: 80b29dd439942fc0b68dc61d4c3827a342016cbfaa6845e8a6e7c0495e471df2
Instruction Fuzzy Hash: 0301FA74910628CFCBA5CFA8C888A9CBBB1BF49305F1041D9E51DA7761D7319E848F00

Function 0553A753 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

+, xrefs: 0553A77E

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: 31a0cdb426ac07652efe3edb7ba754544b71d2ea8cd899445c05969b51b3b906
Instruction ID: 9daf050e6a9c1cc10e5e6621883fef17548af06208f38007fc1c32442a3e5f79
Opcode Fuzzy Hash: 31a0cdb426ac07652efe3edb7ba754544b71d2ea8cd899445c05969b51b3b906
Instruction Fuzzy Hash: C2F09D7094622DCFDB60DF68C888BD9B7B1BB48315F6005D9D408A2240D7715E88CF44

Function 055301FF Relevance: 1.3, Strings: 1, Instructions: 14COMMON

Download Yara Rule

Strings

I, xrefs: 0553023C

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 0e77be1b1dc694516cdb89c62ca90b1889897ae4ab6bf93a9a38be283500df2a
Instruction ID: 629e649f3bd385baf45ebf04ec122b16aadb213434b507b3a0f9b0b12570d669
Opcode Fuzzy Hash: 0e77be1b1dc694516cdb89c62ca90b1889897ae4ab6bf93a9a38be283500df2a
Instruction Fuzzy Hash: BCE0B678A04229CFDB64DF64D9947EEBBB1FB49305F0041EA9469A3394D7785E818F80

Function 013F1379 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

,, xrefs: 013F138F

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 15e9c4c20ee6dc365ef2c91601680b62e68321caf06743bc95b6873d10f4f042
Instruction ID: 3c5c0798dad46d7d98bdd29393801d5fa4231ffd56852421d487b6369069bdeb
Opcode Fuzzy Hash: 15e9c4c20ee6dc365ef2c91601680b62e68321caf06743bc95b6873d10f4f042
Instruction Fuzzy Hash: C4D0CAB9604004DFEB88CB28D988EAA77BAEB48304F108288B40987262CA309804CE20

Function 013F1744 Relevance: 1.3, Strings: 1, Instructions: 8COMMON

Download Yara Rule

Strings

&, xrefs: 013F1762

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: 6f758e5ec01baa9189f948b80a1cfc3c67b2cee5482b7a7970924f1a89ef5ad4
Instruction ID: 0e7117218ebfef74778c4b5881d768c8d17bdf5d78cb286615b691a07f17dc72
Opcode Fuzzy Hash: 6f758e5ec01baa9189f948b80a1cfc3c67b2cee5482b7a7970924f1a89ef5ad4
Instruction Fuzzy Hash: 57D00234945228CFEF759B60DD4CB99BB72AB49305F6081DAA51D32295CB721EC98F10

Function 057BD74D Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811967123.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57b0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f242ebe4b5b2bf6b98d8a90f38a807feb6297807d63f215453d84ea037b6714c
Instruction ID: 09267a5e5faee1ae3357f43e7a6ff574025db0b9d4ef900bc466643039db10ae
Opcode Fuzzy Hash: f242ebe4b5b2bf6b98d8a90f38a807feb6297807d63f215453d84ea037b6714c
Instruction Fuzzy Hash: 6C62F578A05228CFEB24DF68C990BD9BBB2FB89304F5081D5D819A7745DB34AE80CF51

Function 057B0FEA Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811967123.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57b0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e60cb53913d2115bab3dc17bc35d08ff9023a77ec22fcdc77d7349a6c5a95b4c
Instruction ID: 9bfe65fac5f150d8bff9b7537615ab85479209ca1b2e25ff5905faa09eda4a78
Opcode Fuzzy Hash: e60cb53913d2115bab3dc17bc35d08ff9023a77ec22fcdc77d7349a6c5a95b4c
Instruction Fuzzy Hash: 58F1F678A10228CFDB69DF28D994ADDBBB5FB88304F4081E9E519A7354DB349E81CF50

Function 0553BA28 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50136e6b07c1fb7ab26285589817334206bfe75fd304311469d012ddab5c6d37
Instruction ID: 9b7fafd9bb93026c550b258dfb3fce7f141c5b8d2d56a499d0ca69ae5586156d
Opcode Fuzzy Hash: 50136e6b07c1fb7ab26285589817334206bfe75fd304311469d012ddab5c6d37
Instruction Fuzzy Hash: D8C10274E05219CFDB14DFE8C845BEDBBB2FB88314F10842AE51AAB255CB745A44CF91

Function 013F375A Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bda4c74e69b5211d25ea5511b58760512222fa4f33bd1c3f601ad5278c9a79e
Instruction ID: 1c51dcff590d99a8d83a6e6948677248edfe72591806b3f79e52bb86b7663373
Opcode Fuzzy Hash: 8bda4c74e69b5211d25ea5511b58760512222fa4f33bd1c3f601ad5278c9a79e
Instruction Fuzzy Hash: 17D1D638906258CFD7A4CF68C888B89BBB1BF49315F5581E9E5099B366C730DE88CF51

Function 0553BA18 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f240fe4b226a3213c3b14dda96ddd785035f32c971cd70668a6656a942ea48
Instruction ID: 7ff7e7cb6a359b2343303fba9a44026657a4799d80132e8861cd55bf12c84158
Opcode Fuzzy Hash: a3f240fe4b226a3213c3b14dda96ddd785035f32c971cd70668a6656a942ea48
Instruction Fuzzy Hash: 6D912470D05219CFDB14DFA8C946BEEBBF2FB88314F10842AE41AAB255CB745A44CF91

Function 05538A18 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6decc49b4f702d8a0fbd865c850e2c135c59f549fc1798d247246f52331dff0
Instruction ID: 6f5834f800a94bd32260a6ba9775756c1c139c46211ce78ab4423fc2f66bd1fe
Opcode Fuzzy Hash: a6decc49b4f702d8a0fbd865c850e2c135c59f549fc1798d247246f52331dff0
Instruction Fuzzy Hash: 0091D574A01209CFCB19DFA5D495A9EBBB2FF88300F608469D415BB365DB39AC85CF50

Function 057B6363 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811967123.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57b0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6ac87760e62703e09b9829b6890306277e2ea62887a3f33fc5335699a9d3224
Instruction ID: e56a5cdfb555417a5822d1bc26de503030a755236554acd783017c11d89a6ca6
Opcode Fuzzy Hash: f6ac87760e62703e09b9829b6890306277e2ea62887a3f33fc5335699a9d3224
Instruction Fuzzy Hash: 41B1F778A10268CFDB28DF28C994AD9BBB5FB88305F5085E9E51DA7345DB709E81CF40

Function 013FA590 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97503624c8821cc3b5cf95702f2060f8357c82d2b3f42a280d03fb37124b5a5a
Instruction ID: d0f2b7e7b2b084cc446eace8f434d94de4cea06c207e224655c26bd79fab80c2
Opcode Fuzzy Hash: 97503624c8821cc3b5cf95702f2060f8357c82d2b3f42a280d03fb37124b5a5a
Instruction Fuzzy Hash: 1B71C278E14208DFDB08DFA9D58469EBBF2FF88308F548029D929A7358DB385D45CB51

Function 013FA5A0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5e315b0108e008294ea67a57507775cc4ca7c4a6a36508b512469ffca420021
Instruction ID: d86cdc4cd338a945c8b1588c5fbe316f7c6af24f67c8f4fa935394034b867827
Opcode Fuzzy Hash: f5e315b0108e008294ea67a57507775cc4ca7c4a6a36508b512469ffca420021
Instruction Fuzzy Hash: 6D71D278E14208DFDB08DFA9D58469EBBF6FF88308F548029D929A7358DB385D45CB50

Function 013F3FA1 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a406889ab7b3b757bd234c5e73bdf71ceee6c01e5fd00d0a9c3ecd8a39fff4f1
Instruction ID: 82f8bcfcc94f548e0cd64ee929d563eab44ba053f18d91def57350c019798da0
Opcode Fuzzy Hash: a406889ab7b3b757bd234c5e73bdf71ceee6c01e5fd00d0a9c3ecd8a39fff4f1
Instruction Fuzzy Hash: 76612274D0534ACFDB04DFA8D4446EEBBB1FF89309F608129D615B7288DB78598ACB81

Function 057B5D47 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811967123.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57b0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed7c939fac74a6a30bf90a8d4c96fdb3c609c77a438a8256b1d916ae23fe4d9
Instruction ID: 8f644f6d1cf2f326b23b926b2b5827c78053e34bd6f41794a1447702acca9e2e
Opcode Fuzzy Hash: 0ed7c939fac74a6a30bf90a8d4c96fdb3c609c77a438a8256b1d916ae23fe4d9
Instruction Fuzzy Hash: B681E778A14228CFDB68DF28DD90AD9BBB5FB88305F5042E9E519A7345DB345E81CF40

Function 05533C17 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc22fdcc9ab4df3a7f2e2ab234e0237a2476ebe2af62a6edf30e753d23d74a1e
Instruction ID: ba25f102e2031369d63d24bf6cb8bd362c9e2f0335108c577d3f332c868815fc
Opcode Fuzzy Hash: cc22fdcc9ab4df3a7f2e2ab234e0237a2476ebe2af62a6edf30e753d23d74a1e
Instruction Fuzzy Hash: 4851B274E00219DFDB04DFA9D4856EEBBB2FF88301F21892AD82AA7354DB745945CF90

Function 05533C28 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c455e5ec5d09cb70e1b25833a9172904e965d916cc5a4289abb4f810c9681f3
Instruction ID: 920199a0294bd7f588205dfca9d7e948fcdcad2320cf45e0f6a918d7e9652bd6
Opcode Fuzzy Hash: 6c455e5ec5d09cb70e1b25833a9172904e965d916cc5a4289abb4f810c9681f3
Instruction Fuzzy Hash: 9251D174E00219DFDB04DFA9D4456EEBBB2FF88300F21892AD82AB7254DB745945CF90

Function 057BAA60 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811967123.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57b0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d2d05a2bd0f739c5a7e619df60be8bdb96d9d3319ae1783f3f6755442592ad
Instruction ID: 0c378b7c572b222cc1aaf64f1b878128cd8b0de936fc3c04c3a9784afadf11df
Opcode Fuzzy Hash: e6d2d05a2bd0f739c5a7e619df60be8bdb96d9d3319ae1783f3f6755442592ad
Instruction Fuzzy Hash: 7351F478A10258CFDB68DF28D950ADABBF6FB88304F4084E5E419A7355DB34AE81CF50

Function 057B1A73 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811967123.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57b0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f67dfcdae2fe57eed4afa76651c131a0baa2cdb870758f51c7e18fb8184f854
Instruction ID: ae8bdd60c00ee30af173cd128e138435432667c07391216b034189cd84e1c6d8
Opcode Fuzzy Hash: 0f67dfcdae2fe57eed4afa76651c131a0baa2cdb870758f51c7e18fb8184f854
Instruction Fuzzy Hash: FB41D378A14228CFDB28DF68D894AD9BBF5FB88304F5041E9E519A7355DB30AE81CF50

Function 013F61F0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c554e0edf9ef1d77cbd11e256d7d7468e1fe017a6c3ea1d99092290b2eed11d9
Instruction ID: 966895f6e46ff89d5e6cdb350bebc6379c605aaca7222e4f730b4458cd1847b5
Opcode Fuzzy Hash: c554e0edf9ef1d77cbd11e256d7d7468e1fe017a6c3ea1d99092290b2eed11d9
Instruction Fuzzy Hash: FC419F79E001099FCB44CFA9D9859EEBBF5FF88314B1480A9E914EB321D730AA51CF50

Function 057BD07E Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811967123.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57b0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b045bc2de77ba93a088f9585ff33b90ba15092217eeee821cdc4bcab608b8e
Instruction ID: d54a5e44b4b07447c9a3f8eb44649c0fabfc3d9971b5449566ab40d3eda8ee9a
Opcode Fuzzy Hash: 76b045bc2de77ba93a088f9585ff33b90ba15092217eeee821cdc4bcab608b8e
Instruction Fuzzy Hash: D9510978A00268CFCB68DF28D990A99BBB2FB88305F5144E5E50DB7354DB709E81CF40

Function 013F083A Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5858ede84366d2a50822c3507135ccd45cee8c735998127601f23e5603deba6a
Instruction ID: 36e16b35fc6e3f6bb31411e8a817c9e36478883ad09eee8c9c38afc2f0b0e9fa
Opcode Fuzzy Hash: 5858ede84366d2a50822c3507135ccd45cee8c735998127601f23e5603deba6a
Instruction Fuzzy Hash: 7D317E70A05209DFDB08DFADC0083ADBFF6FB45308F5480AAD925A365AD7784A84CF81

Function 013F6430 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a42093561992e917c752f6df4ad87a1f8fa6f0bea36e933e22b8a213feece04
Instruction ID: 659cb1255759ce8c37c1ea6c0486f49a6c2c1c0a3692989fdae2bf7ce13a3754
Opcode Fuzzy Hash: 1a42093561992e917c752f6df4ad87a1f8fa6f0bea36e933e22b8a213feece04
Instruction Fuzzy Hash: B72117B4E00219CFDB08EFA9D8053EEBBF6FB89305F04842AD625B3654D77449818F91

Function 013F0848 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4536d3b7a9b5daade30fb3def8e05aa2d81743e43511c8b280a9cd76f58ea8f
Instruction ID: 941b744ef34840b172e4e33a84f2d29e3799f4508706774b484a8b15eba9ec5a
Opcode Fuzzy Hash: e4536d3b7a9b5daade30fb3def8e05aa2d81743e43511c8b280a9cd76f58ea8f
Instruction Fuzzy Hash: 79314D70A05208DFEB08DFADC1447ADBFF6FB48308F5480A9D525A365AD7744A84CF81

Function 0119D4B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886808803317.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119d000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6598b57ba69b447a74c2032511c4329c33393a7c17fc72c380f1f9d0ab67b4c
Instruction ID: a74ac44628589e961eca0a3336a3dccd2c99ed70b251f8945821d5dbf0abf6a8
Opcode Fuzzy Hash: d6598b57ba69b447a74c2032511c4329c33393a7c17fc72c380f1f9d0ab67b4c
Instruction Fuzzy Hash: F221F471604240DFEF09DF58E9C0B26BF75EB88318F248569E8090B246C336D455CBA2

Function 05533E87 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd08c732fe73ff892f4284bb14780e9140cb872e918c45f0d4a14c3d2ae26ca5
Instruction ID: 1906dc3939a077a4d78d078a84ab76edcd5012bed539873942e72cb6c192b831
Opcode Fuzzy Hash: dd08c732fe73ff892f4284bb14780e9140cb872e918c45f0d4a14c3d2ae26ca5
Instruction Fuzzy Hash: D9216DB4D0820A8FDB04EFA9C4456AEBBF2BF89300F55CCA6C419E7211E7389945CF81

Function 057B0D5F Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811967123.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57b0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3445082069acb8ff032e0ab25e98305e3e819d8b1882f5633606c62aa6b705aa
Instruction ID: 88d99be37c1c694f2a0d86c23a32750b7a27477cf4b1bef3cdc96733633b262e
Opcode Fuzzy Hash: 3445082069acb8ff032e0ab25e98305e3e819d8b1882f5633606c62aa6b705aa
Instruction Fuzzy Hash: 2A41C178A102298FCB64DF18C9A0AE9BBF1FB88354F4141E5E91CA7755DB30AE81DF50

Function 013FC950 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc1722612509f07bf280e0818b363582e6fd9cba41bf144aa3818008c0e825b1
Instruction ID: 5c5b166be1d7e07008b3677b0850a88cb90049a79fe912cb4eace5a6d11453a2
Opcode Fuzzy Hash: fc1722612509f07bf280e0818b363582e6fd9cba41bf144aa3818008c0e825b1
Instruction Fuzzy Hash: 3F211671D502098BEB08DFA9D4486EEFBB5FB88315F14A02AD515B3644DB744A44CBA1

Function 013F081F Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abfadb1507704342dda9b26cec319890b7ac17175c3c087bf5dc04b078ecca3b
Instruction ID: 1971164494493b9ddf54d5dc29be36f9c0efeb23859691297abb260033986ae8
Opcode Fuzzy Hash: abfadb1507704342dda9b26cec319890b7ac17175c3c087bf5dc04b078ecca3b
Instruction Fuzzy Hash: F5218E70A05209DFEB09CFACC0487AD7FF6FB45308F5080A9E925A765AD7344A85CF81

Function 013FC960 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc14554423b9738eb923af87d6f91ca6125fff0860bc656a6d5d6f368eb2a11a
Instruction ID: e58a859b7f99c8552f528184f5af6f0ba3c32704e0eeac3c3f24aa4dcb8f8c2a
Opcode Fuzzy Hash: dc14554423b9738eb923af87d6f91ca6125fff0860bc656a6d5d6f368eb2a11a
Instruction Fuzzy Hash: 9E211470D4021D8BEB08DFA9D448AEEFBB5FB88315F14A02AD515B3644DB741A448BA1

Function 013F68C0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc1ed2d61adad4dd64433262fc9f65fd7a7cf6bf72e4d2de9240bf2c6cf51e3c
Instruction ID: 1d2d695b324485a132b2fa815a8b4c5c88bfcbe0d7bdbe84752215ebf63e917d
Opcode Fuzzy Hash: bc1ed2d61adad4dd64433262fc9f65fd7a7cf6bf72e4d2de9240bf2c6cf51e3c
Instruction Fuzzy Hash: FD2133B1D042099FDB14CFAAD845AEEBFF5FF89304F14842AD625A3250D7715A85CBA0

Function 013F62F8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8560042076304430a395082c04f48f8b209c0cbafc24a9ce866d38fb53acdf2
Instruction ID: f21db94760be988dbece2460a6114d00bb638f47b21698fdc7f33b6f234ccd08
Opcode Fuzzy Hash: f8560042076304430a395082c04f48f8b209c0cbafc24a9ce866d38fb53acdf2
Instruction Fuzzy Hash: 1F11F8B0D00209EBDB04DFA9C84679EBEF9FB85308F5484BAD515E3210E7719680CB41

Function 0119D4AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886808803317.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119d000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b7c21e3fad281765da461a76d958849fab46a4c34ff63cdc3c3480cb54af64
Instruction ID: 4d2f57d73065e59492aeeecc3fc27e05df4cf289dc12bfb442ac6e3f43f1a71a
Opcode Fuzzy Hash: 30b7c21e3fad281765da461a76d958849fab46a4c34ff63cdc3c3480cb54af64
Instruction Fuzzy Hash: 1F11DF76504280CFDF06CF54E9C0B16BF71FB84314F24C6A9D8090B256C336D456CBA2

Function 013F68D0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a32e268888e70968a48af35ad3a9c8a7c754e92ee0d421260421af6e7c60954e
Instruction ID: 974f2276b5ce6d6909cdd8459c7745e8a1a4dcf0a9dc26673ea1e1aef3f952d0
Opcode Fuzzy Hash: a32e268888e70968a48af35ad3a9c8a7c754e92ee0d421260421af6e7c60954e
Instruction Fuzzy Hash: 761123B1D0420DDBDB08CFAAD8456EEBBFAFB88304F10802AD615A3210D7701A85CB90

Function 05538D5F Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b55a89aca2a8d995da1845edeac46a99cffca4ee51e993a4359ae0826215edae
Instruction ID: c52faeee05e62b8015b5fe4bd24e25e0ee56c8a626e93c97f15be5a320220f9e
Opcode Fuzzy Hash: b55a89aca2a8d995da1845edeac46a99cffca4ee51e993a4359ae0826215edae
Instruction Fuzzy Hash: EE112BB0E002099FCB48DFA9C841AAEBBF1FF89304F14816AD519A7355DB354A02CB91

Function 013F5BC1 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f14425e305be310850bee89e06e7ff58c9b982e31f9eea330902ca3857062b
Instruction ID: 72cd4a7fed7f0930240ef3bcead61ed48cb2766769c5b1b84857b4819f252b75
Opcode Fuzzy Hash: 49f14425e305be310850bee89e06e7ff58c9b982e31f9eea330902ca3857062b
Instruction Fuzzy Hash: 2711E13199434CCFDB548BA8E4443FC7FB4BB45219F5C512AC665A625AC72448898F21

Function 013F6308 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9418643e563d6a0e67bec929500440a00b7cbdb7953d6bfceb5fdc2e46b201e1
Instruction ID: 786c467db769d80e6c766d438c6a9ab28d6f53e13744b2ddb2deedf582f77050
Opcode Fuzzy Hash: 9418643e563d6a0e67bec929500440a00b7cbdb7953d6bfceb5fdc2e46b201e1
Instruction Fuzzy Hash: A511E8B0D04209DFEB04DFA984466ADBBF5FB49308F5484BAD515E3220E7719680CB41

Function 013F5D00 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3543462d772acf00ee07354b47dc7a534043fc683b23712ab338848e2415057c
Instruction ID: d08b57332df5d254bad24e21b3eb84070e82daef50b32e91d7684bdd2850476a
Opcode Fuzzy Hash: 3543462d772acf00ee07354b47dc7a534043fc683b23712ab338848e2415057c
Instruction Fuzzy Hash: D511A274A01208EFDB14DFA9D584A9DBBF1FF48300F10D1AAE919AB350D770AA81DF50

Function 05538D70 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0765b95afd73f09bcb6880d94b40fbeb6542950557c2444f6cc627fd4c1b2cdd
Instruction ID: c531a9dd726fdfb9eaa93a50e8441f419180b07a2aa4863ce03718ab415d0879
Opcode Fuzzy Hash: 0765b95afd73f09bcb6880d94b40fbeb6542950557c2444f6cc627fd4c1b2cdd
Instruction Fuzzy Hash: 8411BEB4E002099FCB48DFA9D8416AFFBF1BF88300F548569D519A7354DB345A418B91

Function 013FAC9F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c895e1bcd236d7b0d7f55c744152f37958534b593d2573de21a6cbd0949b62
Instruction ID: 8624ec4403faf8629b669b6b4b9c3029e36495b0a4436df23e2b3cc87c780c6b
Opcode Fuzzy Hash: 65c895e1bcd236d7b0d7f55c744152f37958534b593d2573de21a6cbd0949b62
Instruction Fuzzy Hash: D001A231A00208EBDB04EFA9E8517DDBFB8EB41309F6451BA894593341DB729D42D791

Function 013FCA61 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6c2a3d404d6622561a085260d2e6f212cc406d91b5b8d9be84cb86107b66d1
Instruction ID: 8849bd6b5979bf21d79077308a6e6314762bf3fbd92b8af3496d3d9216ef2d3b
Opcode Fuzzy Hash: 5e6c2a3d404d6622561a085260d2e6f212cc406d91b5b8d9be84cb86107b66d1
Instruction Fuzzy Hash: D8F09635640108EFEB04DFA8E451BDE7BB4EB85308F54A1AA990493350DB319E95D791

Function 057B6240 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811967123.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57b0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf4ad527ec3af2157f5c5fee9b802c608f12fcb777927ce164c2194a3cee0fd
Instruction ID: 5fff00661ea72df1ddb04aef8a40eb093ab3f87ef969b170716e9bf455f51e5f
Opcode Fuzzy Hash: 2bf4ad527ec3af2157f5c5fee9b802c608f12fcb777927ce164c2194a3cee0fd
Instruction Fuzzy Hash: F6010478A00218AFDB28DF58D8909D8B7B1FB88340F5182D5EA19A7310DB30AE848F51

Function 057BEAD0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811967123.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57b0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a5209011f25021945342f57a313136cbc8e0b8aac13bb840f2fa5bdb2dc54a
Instruction ID: 845bd9200f466b64c5516065271694d3caf3f8b75e26ecbdcdad23a7cf5a1c4a
Opcode Fuzzy Hash: 97a5209011f25021945342f57a313136cbc8e0b8aac13bb840f2fa5bdb2dc54a
Instruction Fuzzy Hash: F1F0AFB4D042489FCB14CFA8C9806DDBFB0FB05210F1482AADC64D7381D3719A42EB81

Function 05532AC1 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1900e493d21b20e2330a08c7c0b44de4ca3c5f5ef3fdc70cf730dbd214b61561
Instruction ID: 136d5584be8cbb6fd1d91b084820c0c801a80df46392c28cd1a6466deb94bf82
Opcode Fuzzy Hash: 1900e493d21b20e2330a08c7c0b44de4ca3c5f5ef3fdc70cf730dbd214b61561
Instruction Fuzzy Hash: 53F08C38D082489FCB15CBE5E6562ACBFF0FB85201F1882DBC82897752D675CA02DB91

Function 013F3C2B Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8cb5eac21a2266d50211a4736a9257b7f0a40a09743d65c5cbb6a7fabd397c
Instruction ID: 20fbf008da8283d4252bf010bf972bd26f6b7ef218c5a05c069088678828b335
Opcode Fuzzy Hash: 2d8cb5eac21a2266d50211a4736a9257b7f0a40a09743d65c5cbb6a7fabd397c
Instruction Fuzzy Hash: F301EC70842129CFDB298F18C958BECBAB5FB05309F1441EDE619632D2C7745AC1CF40

Function 013F5358 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02abc2f5dfeb4cc1ad2d75eecb4296de8ed4f197a6ee8d2090a75303aac61f90
Instruction ID: 3b7a4ecb6b75cfc1cead2b38fb264ea9c857d1334b7ffd97ee60d608980f1bc7
Opcode Fuzzy Hash: 02abc2f5dfeb4cc1ad2d75eecb4296de8ed4f197a6ee8d2090a75303aac61f90
Instruction Fuzzy Hash: C0F09070900307CFCB04EF98D4005EEBBB0FF85324F11406AD554A7200D3751987CBA1

Function 013F5BD0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a50a2f2792991c5546d79048d64724b8b17466c4ac745bc948d9ce93d72409da
Instruction ID: ae2a4701155a0dd946fa85da722c8969ae820cd2d45b1c2ca0fd00fdd81c92da
Opcode Fuzzy Hash: a50a2f2792991c5546d79048d64724b8b17466c4ac745bc948d9ce93d72409da
Instruction Fuzzy Hash: 3CF0A030D5424DCBCF04DBE9E4016FEBBF8BB8A204F445139C625B3255DB341959CBA2

Function 0553B9C0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8273d3c18cfa698688455eb67972bafbb032ed075623fb9e65aac230ce0cf1a4
Instruction ID: 8c7ebd4a10e3f443de0ff61234a752fe19e225e9632b3731372f7f4b646efabc
Opcode Fuzzy Hash: 8273d3c18cfa698688455eb67972bafbb032ed075623fb9e65aac230ce0cf1a4
Instruction Fuzzy Hash: 2FF05B315441449FD754CF98C441BDDBFF1FB45324F54829AE878D6281D3399652DB50

Function 05537B4B Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68602009d5cfe560164f7a2d871646bede43fdb286b5b403697cc1d85ae28b9f
Instruction ID: 767fb1eba40729c9bc198bbd1ffbe04c8b3d1c91517b8a3601e6844a04d2b2d2
Opcode Fuzzy Hash: 68602009d5cfe560164f7a2d871646bede43fdb286b5b403697cc1d85ae28b9f
Instruction Fuzzy Hash: 53F03075D00208AFCB54DFA8D54179DBBF0FB49310F1482AAD868D7341D3359A42DB41

Function 0553C5C8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 216130f7c88335570fdeeb3aad19db03f9660b44f3a611a9c1451f0db161b434
Instruction ID: e1f668680b1618f025bae9eee76cd697722613dbe223785c22b77c493505bf23
Opcode Fuzzy Hash: 216130f7c88335570fdeeb3aad19db03f9660b44f3a611a9c1451f0db161b434
Instruction Fuzzy Hash: 89F0F875D04208AFD744DFA9D44579DBBF4FB48310F1480AAD858E3341D7399A51DB91

Function 013F65C0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d731afe84098888163147c51143209cb6c6c46f6509bbcde958b41df15ca7b
Instruction ID: 2cb661f34856d4cc051adb00dc5ee4be44ceef1acdfe2013b985f7ef4de9c323
Opcode Fuzzy Hash: b8d731afe84098888163147c51143209cb6c6c46f6509bbcde958b41df15ca7b
Instruction Fuzzy Hash: 7CF0D4B5E00208EFCB45DFA8D841B9DBFB0FF88304F54C1AA9968A7340D7369A51DB81

Function 013F139C Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8cb8da4f1f6d2c5281b2415a047f5c68493127ea250f94e8ec7336116f2e55f
Instruction ID: 2390db2753e452e584f1d60fe211cf516ac6bc74fc0ff4cdabe51b103a02bf73
Opcode Fuzzy Hash: d8cb8da4f1f6d2c5281b2415a047f5c68493127ea250f94e8ec7336116f2e55f
Instruction Fuzzy Hash: 77F01270A0011DCFDB54CF58CCC4FA9B776EB44308F108199E519A7251C7309D88DF11

Function 0553B9D0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0716dfe740421cdc70f09dbf114162b334eb841aa2157f75c75a3854eb8acd
Instruction ID: 22b738ebb70514eb0620c8d8d82fbcf675ac88fc9f43f398ea01cfab55787f91
Opcode Fuzzy Hash: 4c0716dfe740421cdc70f09dbf114162b334eb841aa2157f75c75a3854eb8acd
Instruction Fuzzy Hash: 6AF0F275E04248AFCB84DFA9D841AADBBF4BB48210F14C0AAA868D3240D7369A51DF90

Function 055399B1 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617a63ceb10176758276789f7ef5eaf68cf8da48e1c00e4c0457ac8751c7082a
Instruction ID: 7fb10fb7fc5086bb3ff529b975c43b925c6bcca5b1a136ed0322025e5b01aedf
Opcode Fuzzy Hash: 617a63ceb10176758276789f7ef5eaf68cf8da48e1c00e4c0457ac8751c7082a
Instruction Fuzzy Hash: A2E0D8765041449FC304CA94D581BAA7B71EB55325F5882A98C688B342C737DE43C640

Function 05537E52 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6a8612a929746d14fa4607a85825751f73e5b602bf6c9ce0ce73043c77cc02
Instruction ID: 2ae1d8bd065f018cd9947aaa79bb8bcc3586cacf0e675e81b4993f32202f4858
Opcode Fuzzy Hash: cf6a8612a929746d14fa4607a85825751f73e5b602bf6c9ce0ce73043c77cc02
Instruction Fuzzy Hash: 19F0AC74E44208EFD758DBA8D84179DBBB0EB49314F5481AAD818D3341D7359E52DB81

Function 013F4238 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d980288b8d8d811cce8a2d3764a2beff20127db4084d65ea55b3b3f787e2758d
Instruction ID: 7f17ca6c22f7464b4ae0e195a7334f99587662000ecfec5867f83bf949090c77
Opcode Fuzzy Hash: d980288b8d8d811cce8a2d3764a2beff20127db4084d65ea55b3b3f787e2758d
Instruction Fuzzy Hash: 7FE0A2728053049FCB668FA0A800AAA3FB4BB02300F4001ABD012D7261EB394A409B52

Function 013FE890 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767045471c0039243a805457313cef3e0028830160f39b89c748e8f41675990f
Instruction ID: 787b51225281ae27c3f79be28e210cbdd2a8569b2222a7afd693c9a84611f10e
Opcode Fuzzy Hash: 767045471c0039243a805457313cef3e0028830160f39b89c748e8f41675990f
Instruction Fuzzy Hash: 21F0A030900208ABD714DFA4D4427ACBFB1EB44310F1480AADC1057342C7369A51DB85

Function 013FBC87 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f4c47f220b4a78af77bed70d687c5306973aad6d44ae45ae12fe6ff643ba26
Instruction ID: 755e319bc0fbf9166d98f73a256dae6fd0278a803dd4bbfa9a4891712bcfbbe9
Opcode Fuzzy Hash: 22f4c47f220b4a78af77bed70d687c5306973aad6d44ae45ae12fe6ff643ba26
Instruction Fuzzy Hash: BCE0DFB2908248EFD700EBA8E91178E7FA8EB41308F5445BAC540E3250EB318E50A792

Function 05534520 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb37d66bb7391dceba9956d66d7f128f9b06c470dda537068bf5500972a21eb
Instruction ID: e98a822649a7385d2c2a4cdb137dd64b604cbcad35ac984a5a2fc97aa1a74156
Opcode Fuzzy Hash: adb37d66bb7391dceba9956d66d7f128f9b06c470dda537068bf5500972a21eb
Instruction Fuzzy Hash: 0EF05270E08208EFCB90CFA8D441A9CBFB0EB88310F1481EA9828E3350E3368E51DB40

Function 05533BD0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58b825429d77285204c826f65d71310cc6e8a44db1af70d7d9d818bebf111a7e
Instruction ID: 93f4168cbfb5806b492696884c403794b4a6a832118306bf6ba1e7b772bc8b93
Opcode Fuzzy Hash: 58b825429d77285204c826f65d71310cc6e8a44db1af70d7d9d818bebf111a7e
Instruction Fuzzy Hash: 41F06570A047459FC714DFA8D441A9DBBF0FB46320F2882DA886897391D7369A47DB51

Function 013F5368 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dddebd5c17e8f7c4c3d154997276cf3804b438af81f33d38704a211f6c5e4b
Instruction ID: d1226f8404c1cff2880801d099a8e55dcd5e052b758fd02fb60cecffdaf51fc2
Opcode Fuzzy Hash: 77dddebd5c17e8f7c4c3d154997276cf3804b438af81f33d38704a211f6c5e4b
Instruction Fuzzy Hash: EDF01571D0021ACBCB04EB98D8019EEBB74FF84314F14852ADA2867200E7316A56CBE1

Function 013F5460 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad475494ab7b0103912803ba9e0bbbf3028b6c512f045615a797860685efec0
Instruction ID: 44ba828bbb1226f72c69e6ce8f90bc5ecb5669b8fcd57e2be8eec76a8ff270e9
Opcode Fuzzy Hash: 7ad475494ab7b0103912803ba9e0bbbf3028b6c512f045615a797860685efec0
Instruction Fuzzy Hash: 47E09A31A49244DFD702DFF4A4186AA7FB0AF02305B1851FAC401AB122EB364D04DB61

Function 013FC910 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a117a6f66da193d7f781b1c50cab597bcd53a4e5dd9da888666677354f21334b
Instruction ID: 9175651d97ae02a0a487858661bfb35a156a40858ade47af6d4af38522366810
Opcode Fuzzy Hash: a117a6f66da193d7f781b1c50cab597bcd53a4e5dd9da888666677354f21334b
Instruction Fuzzy Hash: E2E08635A04208EBD704DBE8E945BDDBBB4FB82308F64A1AEC85553340CB71AD82DB81

Function 013F58AA Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ac3eaefe15d4aabc18762e396c3e68b7436810d8449518429b17b89683cb461
Instruction ID: b21b5d6a58d8f591095749e45ed7b678efb0b06206470f30abc8acf50eff3120
Opcode Fuzzy Hash: 2ac3eaefe15d4aabc18762e396c3e68b7436810d8449518429b17b89683cb461
Instruction Fuzzy Hash: 78F0F234E48249AFCB45DBA8D4405A8BFF0AB8A214F1882EAC85897351D3769A52CB81

Function 013FD671 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6485cd978d14d11c33bc8fa3e3a0f2781e871d53df121777c81543975b535235
Instruction ID: f76e23c90e0dbd52b96b58d1821dc61fd9e5419c258ff3eed3763da2bf6a4069
Opcode Fuzzy Hash: 6485cd978d14d11c33bc8fa3e3a0f2781e871d53df121777c81543975b535235
Instruction Fuzzy Hash: D1E0D875900208EBC704DF98E841B9CBF70FB80309F5490A9D84413340C7319E52DA85

Function 013F65D0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e2aeaa2bb102dd7255471b6dda91b64f2c5025474458c4db0a78a3f333f3e02
Instruction ID: e96b4f3961778dfdd0dfff94e13825f141af1b1cd5aca98ce0b9c317ea840ad4
Opcode Fuzzy Hash: 9e2aeaa2bb102dd7255471b6dda91b64f2c5025474458c4db0a78a3f333f3e02
Instruction Fuzzy Hash: 02F0A574E00208EFCB44DFA9D445A9DBBB1FB48300F14C1AA9828A3340D7359A51DF81

Function 013FACE8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782faa9d766df10c9f7286752df05f22bbf5cf3464e6beab4eeba0f52b962c74
Instruction ID: e5358223b0892b644cb4a1fb8560b9aff237eb80b3b311c9d45dd31087279275
Opcode Fuzzy Hash: 782faa9d766df10c9f7286752df05f22bbf5cf3464e6beab4eeba0f52b962c74
Instruction Fuzzy Hash: 1BE04F75904208ABD704DB98E89179DBFB4FB85309F6881BED84457381D7729D43D782

Function 05534530 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe76c905fe3c1d81a8cd4a635ebf2ff8d80aedaf2b6d6d13e863558c7cc8846
Instruction ID: 914460a25ed55e93352b02652ebec38777a569c0adc669f856b2a77b12057ab3
Opcode Fuzzy Hash: fbe76c905fe3c1d81a8cd4a635ebf2ff8d80aedaf2b6d6d13e863558c7cc8846
Instruction Fuzzy Hash: C9E0E574E00208EFCB44DFA8D445A9DFBF0FB88300F14C1AA9828A3340D731AA51DF81

Function 0553D860 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f828510a6f9290e81adae331db721e124ba21fa48c6c5c379caf029aeac6f1c4
Instruction ID: 6c0d194dffe513b40997f5a726a334a2ad4941d96d01794f0d9c1a6884bb0118
Opcode Fuzzy Hash: f828510a6f9290e81adae331db721e124ba21fa48c6c5c379caf029aeac6f1c4
Instruction Fuzzy Hash: 35E0E574E00208EFCB84DFA9D441A9DFBF0FB88300F14C1AA9828A3340D731AA51DF81

Function 05537B58 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe76c905fe3c1d81a8cd4a635ebf2ff8d80aedaf2b6d6d13e863558c7cc8846
Instruction ID: 30425b5fdc9c25ca41a97bb299794ed7c19d4c51d4d3717285b4e8faca4696e7
Opcode Fuzzy Hash: fbe76c905fe3c1d81a8cd4a635ebf2ff8d80aedaf2b6d6d13e863558c7cc8846
Instruction Fuzzy Hash: 4CE0E574E00208EFCB44DFA8D441A9DFBF0FB88300F14C1AA9818A3340E731AA51DF81

Function 0553A7B6 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5dec7b52062eb0a4ab3b7921ba5c56fd93a1164f2c0fdd1f5b1def94c23320d
Instruction ID: 251c03795749c9767ee0218552e21ac24409271d53c64f52ce732f2fc09634ac
Opcode Fuzzy Hash: e5dec7b52062eb0a4ab3b7921ba5c56fd93a1164f2c0fdd1f5b1def94c23320d
Instruction Fuzzy Hash: D0F0AFB0902129CFEB64DF64C999B89B7F0BB08300F1042D9E50CA3240D7709E84CF54

Function 0553DA18 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe76c905fe3c1d81a8cd4a635ebf2ff8d80aedaf2b6d6d13e863558c7cc8846
Instruction ID: 24326f10195c6c2381d990196735cf3f1869b146eadc4f7093f17dd7c160abad
Opcode Fuzzy Hash: fbe76c905fe3c1d81a8cd4a635ebf2ff8d80aedaf2b6d6d13e863558c7cc8846
Instruction Fuzzy Hash: 91E0C274E04208EFCB44DFA8D541A9DBBF1FB88310F14C1AA9818A3340D731AA51DF81

Function 057BEAE0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811967123.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57b0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 109ebf084271b477817db1fb78b81f68ed31c8f669abe2941ca6ad378c9ef49f
Instruction ID: 06a3cfb108ca3ccbdb8004f771fb60fc0eb06c1d913d095a3a3d9107bab6894e
Opcode Fuzzy Hash: 109ebf084271b477817db1fb78b81f68ed31c8f669abe2941ca6ad378c9ef49f
Instruction Fuzzy Hash: 7AE0C274E00208EFCB44DFA8D440A9DBBF4FB88300F14C1AA9828A3340D771AA91EF81

Function 013FCAA8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46798c7fdbb3dac06ddd02d8670760fa984b83236aee7e87b0221a27cf635304
Instruction ID: 40d82900911157b3df74a499d934439e2830a94701a0809aef074cea018a319d
Opcode Fuzzy Hash: 46798c7fdbb3dac06ddd02d8670760fa984b83236aee7e87b0221a27cf635304
Instruction Fuzzy Hash: 57E068305482489FC319CB64C5009C87F60FB06304F1882DACC144B352C3325D97C640

Function 05537E60 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef52043a4e5db0cfbbcbf073007e283b8fcb736e6fb46380b2b5c0d33ef8132a
Instruction ID: c918b7ad7eececb82b903f69a3d0372a304e384259ad08d683ded8c6993840d7
Opcode Fuzzy Hash: ef52043a4e5db0cfbbcbf073007e283b8fcb736e6fb46380b2b5c0d33ef8132a
Instruction Fuzzy Hash: 34E07574E04208EFCB54DFA9D54569DBBF4FB88304F1481AA982893340D7359E56DF81

Function 013F106D Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896c8ed9e307008f9535796e9b52bdaed6255c277c93fdab1bd66ff45742897b
Instruction ID: 2625dbd9036677103253fbca254e96717493602e732633bdf85c4a06c3bab110
Opcode Fuzzy Hash: 896c8ed9e307008f9535796e9b52bdaed6255c277c93fdab1bd66ff45742897b
Instruction Fuzzy Hash: 31E01A71A0011CCFD758CEA8CC94FA9B375EB88308F148199E50897361CB31AD488F11

Function 013FA558 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53125ce75e1275ea5586b319a340eb70bfe2338760bce1712bec93d1ea287e4b
Instruction ID: f07c1c0b032cac16398974c2050448e113ed786e300642a2bf0af8842afacbc3
Opcode Fuzzy Hash: 53125ce75e1275ea5586b319a340eb70bfe2338760bce1712bec93d1ea287e4b
Instruction Fuzzy Hash: B0E0C275940104DBD304CB90D681BD8B760FB81308F68939EC86A57740C7369D43C741

Function 0553E938 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 814ca5c0e4721b05082d59c48ab71a09a93459850f173481a4ebb28ecb27de62
Instruction ID: 204bda51b7872abd2f99072d32f91edfaed7553b6bee6434be52cc79408c333c
Opcode Fuzzy Hash: 814ca5c0e4721b05082d59c48ab71a09a93459850f173481a4ebb28ecb27de62
Instruction Fuzzy Hash: 53E0E574D04208AFCB04DFA4D441AACBBB4BB88300F1481AA985457340D7319A52EB85

Function 055399C0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3910daa29b73012f69f17e8a3d26179c10a7204584e356c3f4459d8bc82bfe7a
Instruction ID: 780dc15a8f6dc0a1b50b5fb85486b84dae55a1e1b8257bb4c6b0a74364c1e6e5
Opcode Fuzzy Hash: 3910daa29b73012f69f17e8a3d26179c10a7204584e356c3f4459d8bc82bfe7a
Instruction Fuzzy Hash: 7BE08CB5904208EFC704DFA8E841AAEBFB4BB85300F1481AAD85867340D7319E52DB91

Function 013FE8A0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878c19495fa8528b9a1e4089b976e037cb032cd49ce03b935499012317b747f6
Instruction ID: d2088aedcb743930ee8db22eb16c3a60c6841d96c7c9b389fdc503b3426f752f
Opcode Fuzzy Hash: 878c19495fa8528b9a1e4089b976e037cb032cd49ce03b935499012317b747f6
Instruction Fuzzy Hash: E4E01A74D00208EFCB04DFA8D440AACFFB1EB88300F14C1AADC6453340D7319A51DB85

Function 013F5B7F Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ff478daa89f83778de1f41bc6fe261bb1c8bcb5fb0ce8777fed69f3374bf71
Instruction ID: 2aaeb87ea6323ec170da2511192b73e57ecdaf9b05f515b264a7eb6039c88841
Opcode Fuzzy Hash: 87ff478daa89f83778de1f41bc6fe261bb1c8bcb5fb0ce8777fed69f3374bf71
Instruction Fuzzy Hash: CCE0C25000C3C44FD36B036964197B03FA4AB0220CF9D02E7D6E480ADFD39A08DACF62

Function 0553683F Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9a8b8a9416e2c9a02839f8f0557cc2db837274e6fd2febc09abebed7276773
Instruction ID: b2c93801513179f75a41f3a2f4a27203ac53a153cc8e20c6d7dd81efb1a4d6ac
Opcode Fuzzy Hash: dd9a8b8a9416e2c9a02839f8f0557cc2db837274e6fd2febc09abebed7276773
Instruction Fuzzy Hash: D1E0E534A00518CFDB14DF58DC44ACDB7B5EBC830AF4040E6D519A7300C7346E958F90

Function 05532AD0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ec8ca3bc0109d5825f48a007c9d23fe8cac6d5e7ee0bfb7ad8eb8af38b3841
Instruction ID: 172b74647af460753af4007f4ca41446aecb078369bfdf6caf7c611b13ab95ed
Opcode Fuzzy Hash: f9ec8ca3bc0109d5825f48a007c9d23fe8cac6d5e7ee0bfb7ad8eb8af38b3841
Instruction Fuzzy Hash: 6CE04634D04208EFCB14DFA9E4416ADFBB0FB88300F1481EAC82853341D7319E42DB81

Function 013F4248 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4db0d472d420c5c0e628a3329f3f895530e3747b7dc2b97e8a67e843165442e2
Instruction ID: 7195410739a8b18b6d68aa4c4eb85510575719d43e47524742885b0f530d562d
Opcode Fuzzy Hash: 4db0d472d420c5c0e628a3329f3f895530e3747b7dc2b97e8a67e843165442e2
Instruction Fuzzy Hash: BBD0C271800208EFC714DFE4E40468A7FA8FB01301F5050B6951493150EF310E00AB92

Function 013F12CF Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70e1cda6db66d5f04c66838a132509fe2780b6eb66d2555730b695e7b1e62b9
Instruction ID: dc182e5f348e3fe6e08baa441122f340966a2a1523a98b813ed278a697cd4fe5
Opcode Fuzzy Hash: b70e1cda6db66d5f04c66838a132509fe2780b6eb66d2555730b695e7b1e62b9
Instruction Fuzzy Hash: AAF01F7490022CCFDB64CF64CD88A9DBBB5BB09304F1041D9E919A7261D6325E80DF00

Function 013F5470 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3695b7f4d2c9f8618e9234275fa330acd8931a6a4df9873b286dd3409943099
Instruction ID: 126e61b0cdce64da485a15d3b3bcdce687f001f05cd1b870d365eba76c1aa25d
Opcode Fuzzy Hash: f3695b7f4d2c9f8618e9234275fa330acd8931a6a4df9873b286dd3409943099
Instruction Fuzzy Hash: 0AD05B7294120CEFD704EFF4E51069F7BE8EB01305F5451BA8504A3110EF324E10A791

Function 013F58B8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd6bf72e8a35782288d7f14626ec8a3077a7cc4357f3603e364eaf606ff34d9
Instruction ID: 092c7b599ce268230081ea19dffa86eaad006ca6bce3ba023a9d0cc52d303491
Opcode Fuzzy Hash: 7dd6bf72e8a35782288d7f14626ec8a3077a7cc4357f3603e364eaf606ff34d9
Instruction Fuzzy Hash: C8E09274E00208EFCB04DF98E541A9DBBB4EB88304F2481AAD818A7340D731AE52DB81

Function 013FBC98 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c01b737aa1f3dc4891cfa415908512ceb518f9eeec331a849c8c0761457c3dd
Instruction ID: 9129a0a481ecb346f09f12908b75238337bf44829227dc63b1ae0a60ecacb69a
Opcode Fuzzy Hash: 4c01b737aa1f3dc4891cfa415908512ceb518f9eeec331a849c8c0761457c3dd
Instruction Fuzzy Hash: 87D01271905208EFD704EFF9E50069B7BA8AB01304F5055AAC61493110EF314E50A791

Function 013FC920 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d839827e243f211c30ef2c23d2b7a3c8e5b02889d164a02ba6ee59ffa630419
Instruction ID: 8058fee2477c28f98b81f3b8a25ed145950509bb0ca07329ebdc593136e4bcd3
Opcode Fuzzy Hash: 4d839827e243f211c30ef2c23d2b7a3c8e5b02889d164a02ba6ee59ffa630419
Instruction Fuzzy Hash: 7AE01234904208DBC704DFD4E541A5DBBB4FB85304F5491ADC81917340DB319E52DB81

Function 057B6217 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811967123.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57b0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef69e05b72e3508356062b8fe0875085ae6bc10f6904961961bf2a35feb97c26
Instruction ID: f6638b3b57a53d00b25785b5394dd248c53cde46178e22baa5dd0ebd79c32f77
Opcode Fuzzy Hash: ef69e05b72e3508356062b8fe0875085ae6bc10f6904961961bf2a35feb97c26
Instruction Fuzzy Hash: ADD0A739B04104CFEB08DBE4E8505E9776EF7C821DF418161F229A7545CB382A448750

Function 013FA568 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f19f4d326cea6968d98f524d8b92f910f7ccbca14dab3e8bc151bbfb583432
Instruction ID: 8862d4fd63ef4f4850797b2fc783ba1f0571e196b80a15d250728dcab229ef00
Opcode Fuzzy Hash: 89f19f4d326cea6968d98f524d8b92f910f7ccbca14dab3e8bc151bbfb583432
Instruction Fuzzy Hash: E6D0A770900208DFC704DB94E400A59B7A8EB41304F54419D881D53340DB329D01CB81

Function 055319F7 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a50793714ad737087668d87da1e6b69b79ab15f4d3dcc1b0bdeff7100b16c97
Instruction ID: 2e3dcac0a45516485498717c39a4e2f1dc2e53f8e89be7afc6dfae840e71621b
Opcode Fuzzy Hash: 2a50793714ad737087668d87da1e6b69b79ab15f4d3dcc1b0bdeff7100b16c97
Instruction Fuzzy Hash: 04E09278E5422ACFDB54DF24D88579ABBB1FB89308F5080E99929A3344DB345E80CF80

Function 013F1476 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1045ebab341ff42a25351925130d5eac376df5725cc66ecdd676b797e8f9ea2
Instruction ID: e61c087af6b682edefcae287b48fb09cd7b84d4796b1d9850c776b1b395fadcb
Opcode Fuzzy Hash: f1045ebab341ff42a25351925130d5eac376df5725cc66ecdd676b797e8f9ea2
Instruction Fuzzy Hash: 86D09270A04118CFD754CB28C988EAAB7B5AB8D304F118089F409A7221C7309D448A20

Function 0553A3B2 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4edafba04e7d46f29fbe0d2d1e61db94fde8dccd03a209e4b30302897b41e426
Instruction ID: 46d4c89bb960baf49b4bcacb9ccd52847a00b3b592876b3d831c5c874d66161b
Opcode Fuzzy Hash: 4edafba04e7d46f29fbe0d2d1e61db94fde8dccd03a209e4b30302897b41e426
Instruction Fuzzy Hash: 1FD09275E003189BEF10DF90E48968DBBF1FB48300F5041958008B7341D6709D80CF84

Function 013F155D Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a20c4e647daf565b4ae92d64d4847531c3e52c1b62ac3108bd85bdf2261cd5f
Instruction ID: fad30a2d4454d2f76fef594df3474fb1ae51208f18fd870dd625c1f20265e7b8
Opcode Fuzzy Hash: 8a20c4e647daf565b4ae92d64d4847531c3e52c1b62ac3108bd85bdf2261cd5f
Instruction Fuzzy Hash: CDD0CA74900228CFCB048FA4CA88E8CBB72BF09304F208089E6096B221C7329888CF10

Function 013F1696 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e57d27506113f2db1d3723d292d741cdd9c1ef5460720552b5a7cf61f3d864
Instruction ID: 036604e6ecfa3e1098535543beeb431aa478847d222b1262d2caef530db3021b
Opcode Fuzzy Hash: 05e57d27506113f2db1d3723d292d741cdd9c1ef5460720552b5a7cf61f3d864
Instruction Fuzzy Hash: 64D0CA34900218CFCB04CFA4CA88E89BBB2AF0D314F2040C9E90977221C732AE88CF20

Function 013F1B98 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71d3561ce5cc0bd60028d12337602d0ae3732093979650157a40b0f6a047ecb8
Instruction ID: a928d4fefdb7706679e616a9d997f2eb6fda46996185e0ddf917eb37995a67db
Opcode Fuzzy Hash: 71d3561ce5cc0bd60028d12337602d0ae3732093979650157a40b0f6a047ecb8
Instruction Fuzzy Hash: 6FC08C70003108CEFB284B988E2CBAD7F35B702309F0040C8E305236D2C3700485DA12

Non-executed Functions

Function 05539A08 Relevance: 2.6, Strings: 2, Instructions: 94COMMON

Download Yara Rule

Strings

x, xrefs: 05539C0C
], xrefs: 05539ACC

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID: ]$x
API String ID: 0-873692249
Opcode ID: 204c7622cdcfb65392844b3f0670b1ae6f5f3f5438543ec3c17cf24c374f8106
Instruction ID: 5da96bdcd3d79a1ae5ee4469194c7092af772ba1628a63ad40c6152471f73fee
Opcode Fuzzy Hash: 204c7622cdcfb65392844b3f0670b1ae6f5f3f5438543ec3c17cf24c374f8106
Instruction Fuzzy Hash: A641C9B1E056199BDB18DF5BD8896DABBF3BFC8300F14C1EA981DA6254DB700E818F50

Function 057BEB60 Relevance: 1.7, Strings: 1, Instructions: 452COMMON

Download Yara Rule

Strings

UUUU, xrefs: 057BEEA8

Memory Dump Source

Source File: 00000000.00000002.886811967123.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57b0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: 5b68e4239f49c72736fb0bea6d432ebeff3a5b6f00edd8ac6febcbc7c76f9c30
Instruction ID: 66f5d41005af0d1cfe842246208494e3bcfa3397f655e6c1247e784c04740bc8
Opcode Fuzzy Hash: 5b68e4239f49c72736fb0bea6d432ebeff3a5b6f00edd8ac6febcbc7c76f9c30
Instruction Fuzzy Hash: B8129071E046599FEB14CFAAC9806DDFBF2BF88304F28C169D418AB219D774A946CF50

Function 055399F8 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

], xrefs: 05539ACC

Memory Dump Source

Source File: 00000000.00000002.886811903162.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_L814CyOxMT.jbxd

Similarity

API ID:
String ID: ]
API String ID: 0-3352871620
Opcode ID: 0f58750c2d0b9cd7fba713821a635c6ae2bd04107921a3415ab487536b68d150
Instruction ID: 33cba962c5d7576f9efa39935d1271bf1f605556d638c8e075d29502c757cb6e
Opcode Fuzzy Hash: 0f58750c2d0b9cd7fba713821a635c6ae2bd04107921a3415ab487536b68d150
Instruction Fuzzy Hash: 592171B1D416199BEB1CDF6B9D456DAFAF3AFC9300F14C1FA881CA6214EB740A418E51

Function 013F4280 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa745f5af69224d8afbaa1cd761d78ac38828616e3f194b1c0546b6609b59999
Instruction ID: d38a943b288136917097d12b6f623c981abe8ff9c242c5a9de16a0b15f8422fc
Opcode Fuzzy Hash: aa745f5af69224d8afbaa1cd761d78ac38828616e3f194b1c0546b6609b59999
Instruction Fuzzy Hash: 7FC16175E006188FDB59CF6AC944ADDBBF2BF88305F14C1AAD909AB365DB305E818F50

Function 013F0990 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a0c591a42bff09ec3852510e6c7a3a75f60b8ec011fba50118161743e7acf66
Instruction ID: d3877e2e75663df3c892c477ede0171da0d633d622d96d2cd28520811f347e95
Opcode Fuzzy Hash: 1a0c591a42bff09ec3852510e6c7a3a75f60b8ec011fba50118161743e7acf66
Instruction Fuzzy Hash: D0712B71A002498FD70EDF7AE84169EBFF2BF88204F58C539C454AB369EB385946CB51

Function 013F09A0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f9ba2700b9d63657935ba313207c17fdd982d88b6fea0beea841f21fef6feae
Instruction ID: 6ab2625e8880fe2436212852c489443a421b57867e25f0ac7fe6568c81a55fcc
Opcode Fuzzy Hash: 6f9ba2700b9d63657935ba313207c17fdd982d88b6fea0beea841f21fef6feae
Instruction Fuzzy Hash: 0661E771A002098FDB0DDF7AE44169EBFE2BF88304F58C539D464AB369EB385946CB51

Function 057BEB50 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811967123.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57b0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a27791bfec9e0641b91c82012fee8545495f3f4b16e5f8fa998b433447df11df
Instruction ID: 02ee8590aa351ab509a0cc8cd4aafeb800893cc1a72d10d4524cd5b6003d23b0
Opcode Fuzzy Hash: a27791bfec9e0641b91c82012fee8545495f3f4b16e5f8fa998b433447df11df
Instruction Fuzzy Hash: DE516975E006198BEB08CFABC94469EFBF3BFC8300F14C07AD958AB254DB7459469B54

Function 057B0007 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811967123.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57b0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7e9be1f82b3a1697bceee47c49ddb7f85f5261c3b28941748cf2c14228e8156
Instruction ID: 942060b906dbee557e783296fae362310f02704a109ea547c3348577ade2a9e9
Opcode Fuzzy Hash: b7e9be1f82b3a1697bceee47c49ddb7f85f5261c3b28941748cf2c14228e8156
Instruction Fuzzy Hash: 91316F71D052949FEB1ACF6ACC54BD6BFB2AF86300F09C0EAE4489B166E7710985DF11

Function 013FCEF0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886809830209.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c63fa0b97abba58569f23a89c024a500f45399cf239168322a5b040e6932f4b2
Instruction ID: 62e69c341e90f6b899a67b709eed956cc08f925cd7e99f02b41de2e6eb2447ce
Opcode Fuzzy Hash: c63fa0b97abba58569f23a89c024a500f45399cf239168322a5b040e6932f4b2
Instruction Fuzzy Hash: 6821E971E006188BEB28CF6BD8406D9FBF7FFC8214F14C1BA9518A7655DB3059868F51

Function 057B0040 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886811967123.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57b0000_L814CyOxMT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb75c3cd914edeac45a1947577c1ddc8d2cd1d8d972c95899349062311a15620
Instruction ID: b4e115ff5ec6dbf1e9c4e9f63f8f081f4f374d6d0fd8ebbcc0bb1ffbc427b2c6
Opcode Fuzzy Hash: bb75c3cd914edeac45a1947577c1ddc8d2cd1d8d972c95899349062311a15620
Instruction Fuzzy Hash: 9221DB71E046189BEB18CF6BDC146DAFAF7BFC8310F04C1BAD81DA6254EB700A858E41

Analysis Process: MSBuild.exePID: 2752, Parent PID: 6424COMMON

Execution Graph

Execution Coverage:	17%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	8.3%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Executed Functions

Function 06AA1C00 Relevance: 1.6, APIs: 1, Instructions: 50
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(?,?), ref: 06AA1C65

Memory Dump Source

Source File: 00000002.00000002.887068421943.0000000006AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6aa0000_MSBuild.jbxd

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: f3beab210e284b27f089da03980e1c9d7d6d0a5bd58affac436c6d892389b7f2
Instruction ID: c520c9b23ea9a5337a8106d174d77444f56d9e6a25044e267f6c632ae1af316d
Opcode Fuzzy Hash: f3beab210e284b27f089da03980e1c9d7d6d0a5bd58affac436c6d892389b7f2
Instruction Fuzzy Hash: 581116719003599BCB14DFAAC948BDEFFF5AB88710F10882AD459B7240CB79A944CBA4

Function 02FA4A08 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daac992b30d0c2051bf425f75997c9313c67c00d738afd59bc0cae54a85052d3
Instruction ID: 639d9e9b17c7327db1f15ace2517881f7637b404b41d3be08fafde48d30299b7
Opcode Fuzzy Hash: daac992b30d0c2051bf425f75997c9313c67c00d738afd59bc0cae54a85052d3
Instruction Fuzzy Hash: 3FB16EB0E00209CFDB10CFA8C89579DBBF2AF88784F148129D915EB394EBB49845CF91

Function 02FA52D8 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16d17f85fbba96141ba36026eefb2c4a3fc95fb3b7d792c2240429ea194f8f7f
Instruction ID: a306763755d1a53e6071c0f3a40b212e8a652d758407bb7672de6d1365b09ba0
Opcode Fuzzy Hash: 16d17f85fbba96141ba36026eefb2c4a3fc95fb3b7d792c2240429ea194f8f7f
Instruction Fuzzy Hash: 7CB18DB1E00209CFDB10CFA8C9A579EBBF2AF88754F548129D915EB394EB749845CF81

Function 02FAD388 Relevance: 2.9, Strings: 2, Instructions: 402
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0on, xrefs: 02FAD494
Dqn, xrefs: 02FAD4A0

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0on$Dqn
API String ID: 0-893887009
Opcode ID: 8857fca5c0a54fbe07403ff3ab5844f7527d0712f8e81c68fc1ce1fdf0cdd70f
Instruction ID: a7f7e74687ec01667e6a79f351078cc84357dd4b20ff00e2962a0427cc4a4ffd
Opcode Fuzzy Hash: 8857fca5c0a54fbe07403ff3ab5844f7527d0712f8e81c68fc1ce1fdf0cdd70f
Instruction Fuzzy Hash: C0F10370B102158FCB94DF69D894B9EB7F6BF88204F6084A9E509EB365DB749C41CF60

Function 02FAD377 Relevance: 2.8, Strings: 2, Instructions: 336
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0on, xrefs: 02FAD494
Dqn, xrefs: 02FAD4A0

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0on$Dqn
API String ID: 0-893887009
Opcode ID: f1d123f1519381fa5b01c6897d0344068d211740336d79b9cd5c84f61380b115
Instruction ID: a62c6e024134b269f462c4121992c8f2697dbef4f3a3091a59665e4043e90d8a
Opcode Fuzzy Hash: f1d123f1519381fa5b01c6897d0344068d211740336d79b9cd5c84f61380b115
Instruction Fuzzy Hash: A8D12470B102158FCB44DF69D894BAEB7B6BF88204F6084A9E509EB3A5DF749C41CF60

Function 06AA1CB0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Process32First.KERNEL32(?,?), ref: 06AA1D95

Memory Dump Source

Source File: 00000002.00000002.887068421943.0000000006AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6aa0000_MSBuild.jbxd

Similarity

API ID: FirstProcess32
String ID:
API String ID: 2623510744-0
Opcode ID: 4450991e72813c26497f8c4774d58daeddabe3ef873b514eda22179fdacca673
Instruction ID: 89432012305964124b36c5df4b4d47379b907207c4668f5b606ef05c8bffa4c8
Opcode Fuzzy Hash: 4450991e72813c26497f8c4774d58daeddabe3ef873b514eda22179fdacca673
Instruction Fuzzy Hash: 1D413570D00228ABDB64DF69C984BDEBBB5BF49300F50849AD40DAB240DB755E89CF90

Function 06AA1CB8 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Process32First.KERNEL32(?,?), ref: 06AA1D95

Memory Dump Source

Source File: 00000002.00000002.887068421943.0000000006AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6aa0000_MSBuild.jbxd

Similarity

API ID: FirstProcess32
String ID:
API String ID: 2623510744-0
Opcode ID: 04150f4e5c8599282a48d7bf0bb4d0915e0d812bb0ff01b4f9ebc99e56cd3fee
Instruction ID: 0f851214f66bdd76d655a741d6f97b167923f1cfba4006c0caedaf71d60d8f9a
Opcode Fuzzy Hash: 04150f4e5c8599282a48d7bf0bb4d0915e0d812bb0ff01b4f9ebc99e56cd3fee
Instruction Fuzzy Hash: 47410570D002289BDB65DF69C984BEEBBB5BF49304F5084EAD40DAB240DB755E89CF90

Function 06AA1BFA Relevance: 1.6, APIs: 1, Instructions: 54
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(?,?), ref: 06AA1C65

Memory Dump Source

Source File: 00000002.00000002.887068421943.0000000006AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6aa0000_MSBuild.jbxd

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: 75aa88f1522459104453fbe456f45b8153ceef51991c2872a4478fa49752fcdf
Instruction ID: 1331aaae10891a7930a5617b5c3bba5d9254d4a3e05b519b2a4b47a04dc776c5
Opcode Fuzzy Hash: 75aa88f1522459104453fbe456f45b8153ceef51991c2872a4478fa49752fcdf
Instruction Fuzzy Hash: EF1137718003489FCB14DFAAC988BDEFFF5EB88310F10882AD459A7241CB75A945CBA4

Function 02FA9990 Relevance: 1.5, Strings: 1, Instructions: 276
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#B, xrefs: 02FA9D09

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID: #B
API String ID: 0-3259679553
Opcode ID: 709d69a5b90dece1ac2ef271e6ca4eb3f0b805ed12449c358c3e50a9786daaa4
Instruction ID: 97d9c59c840bd15028c0895f4b3a3636e7adba876fb1931530054552822be36d
Opcode Fuzzy Hash: 709d69a5b90dece1ac2ef271e6ca4eb3f0b805ed12449c358c3e50a9786daaa4
Instruction Fuzzy Hash: 83911CB03111005BD788E76AE860FAF379B9BC8740F14423D990AE7BD4CE686D469BF5

Function 02FA99A0 Relevance: 1.5, Strings: 1, Instructions: 270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#B, xrefs: 02FA9D09

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID: #B
API String ID: 0-3259679553
Opcode ID: 88316bd2aef909317f288885796473ab6a353872254d48591875e1188e408381
Instruction ID: 5439f0727971ac8439a62e9b36dc4e56fae7854a475802f1da23ff6ac2178833
Opcode Fuzzy Hash: 88316bd2aef909317f288885796473ab6a353872254d48591875e1188e408381
Instruction Fuzzy Hash: 76912CB03111005BD788E76AE860FAF379B9BC8340F14423D990AE7BD4CE686D469BF5

Function 02FAB318 Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Eqo, xrefs: 02FAB3C6

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID: Eqo
API String ID: 0-3056040483
Opcode ID: 6e0bc7592e130de5a898495cb7db902078a4e428f1041bfddd13500c340cfb3b
Instruction ID: f765292cc89c8879d95178121a2350b61e52c8d5c0a94450f7d3682a9557d239
Opcode Fuzzy Hash: 6e0bc7592e130de5a898495cb7db902078a4e428f1041bfddd13500c340cfb3b
Instruction Fuzzy Hash: 0E31D2B0B012099BD708DF75D460AAEBBF3AFD9300F108129D906BB390DF749C468BA0

Function 02FAB328 Relevance: 1.3, Strings: 1, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Eqo, xrefs: 02FAB3C6

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID: Eqo
API String ID: 0-3056040483
Opcode ID: 8f9a25ab96140d28fc96c721d0ec884b039c8aab70df7eac3a90035a8a58acab
Instruction ID: c6adde576598ac4802d9cb77450c183c4a7df2c70925fe4b48c45b9ce6645106
Opcode Fuzzy Hash: 8f9a25ab96140d28fc96c721d0ec884b039c8aab70df7eac3a90035a8a58acab
Instruction Fuzzy Hash: CF3191B0B112099BDB08DF75D4646AEB7A3AFD9340F108529D906FB390DF749C468B91

Function 02FA7881 Relevance: 1.3, Instructions: 1325
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5dbbb49603f1b554a6d40dfb4bdd03abb6a92805b55287d4e745fe37b6ac90
Instruction ID: f2c122e2a1b005943f73658f3a625165cd45155030e0cb515be49050bb30c8ce
Opcode Fuzzy Hash: 8c5dbbb49603f1b554a6d40dfb4bdd03abb6a92805b55287d4e745fe37b6ac90
Instruction Fuzzy Hash: 2ED2B7B4A006198FCBA9EF78D954B5AB7F2AF88201F5044E9C109E7760EF749E85CF50

Function 02FA62F1 Relevance: 1.1, Instructions: 1110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244a83fb4e7f757256d5ef298725d00592d57a4997f731856145bf5012694901
Instruction ID: b39106e082391a80fccefa950e848ed9934805d0f2ff265ab0d277bf6ff0794f
Opcode Fuzzy Hash: 244a83fb4e7f757256d5ef298725d00592d57a4997f731856145bf5012694901
Instruction Fuzzy Hash: 54C2C3B4E102298FDB65DF69C890B9DB7B6FB88300F5085EAD80DA7354DB346E858F50

Function 02FA6300 Relevance: 1.1, Instructions: 1105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7fa18cec9fd380dbba9390f42b65562a9d2417cc5ffea2670c13b98ae0e0070
Instruction ID: f67e62f72d185a71f7371f5d934fd816e667a583082f9bd1d62864d1667741cc
Opcode Fuzzy Hash: c7fa18cec9fd380dbba9390f42b65562a9d2417cc5ffea2670c13b98ae0e0070
Instruction Fuzzy Hash: A1C2C3B4E102298FDB65DF69C890B9DB7B6FB88300F5085EAD80DA7354DB346E858F50

Function 02FAE710 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde1b7bc550ddc5a3b5df677b8e9bb4da1eb5e6656304bddb347083e5aa1a951
Instruction ID: 8620ac3f23b3bdac6bdf3e9f4e5823e52a7deb14842c9a23cc053a073d5cc180
Opcode Fuzzy Hash: dde1b7bc550ddc5a3b5df677b8e9bb4da1eb5e6656304bddb347083e5aa1a951
Instruction Fuzzy Hash: 3C02C9B4A012099BDB44EBA5E960FAE7777EB88300F504128D909B7794CF386D46CFB5

Function 02FAE720 Relevance: .5, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5235c8f0c5ad320e81241119260aab3a840301d08288aa80131442a3a748c9d
Instruction ID: 0843115c7a3e3318673fe50a63319c5a0f37b3c47363399e1eb5a79619da4f47
Opcode Fuzzy Hash: c5235c8f0c5ad320e81241119260aab3a840301d08288aa80131442a3a748c9d
Instruction Fuzzy Hash: 1B02B9B4A012099BDB44EBA5D960FAE77B7EB88300F504128D909B7794CF386D46CFB5

Function 02FAB738 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9876a838b0748644274368aaf7f76c0890669589521fc45ec86b6ab33f00f9e1
Instruction ID: 7962e37298b7d22ab609d53cf0d8a2422f6021cbb51eb184ed6d97ee1bf61fb7
Opcode Fuzzy Hash: 9876a838b0748644274368aaf7f76c0890669589521fc45ec86b6ab33f00f9e1
Instruction Fuzzy Hash: 60E11474E002098FDB15CF69C494A9DBBF2BF8C354B55C1A9D815AB3A5DB34EC42CBA0

Function 02FAAB60 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b630cf1afc1f7a8d63d6c79bd96b5867670440b7aac3cda058b21f1abfd880f0
Instruction ID: 62907a84fbb7cbc16cdb2fec4d6fa6bca63d93e16e00fd4cb90b8b8300e7434d
Opcode Fuzzy Hash: b630cf1afc1f7a8d63d6c79bd96b5867670440b7aac3cda058b21f1abfd880f0
Instruction Fuzzy Hash: 47B16271B101019FCB44DB79D890A6EB7F7AFC8610B558468E906EB3A5DF78DC02CBA0

Function 02FA49FD Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72867ade1d334a231c33761c748c839bf23455c86ddb9b95323b1dad68631c4
Instruction ID: 6c6db5532465f10141cce6e11a44d54d167500eb680f7ec4dce201b493f84c7d
Opcode Fuzzy Hash: e72867ade1d334a231c33761c748c839bf23455c86ddb9b95323b1dad68631c4
Instruction Fuzzy Hash: 31B14DB1E00219CFDB10CFA8C8957DDBBF2BF88784F148129D915AB294EBB49845CF91

Function 02FA52CC Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4053323ad5b391bf3ce04dd578d5051b96fa690de8d1d5a1c6ae359b8c3d219a
Instruction ID: 2c793b41f133ac28813e1f4ba2bf6a575df13347b9f443bae5930d3dc870aefe
Opcode Fuzzy Hash: 4053323ad5b391bf3ce04dd578d5051b96fa690de8d1d5a1c6ae359b8c3d219a
Instruction Fuzzy Hash: C9B18DB1E00209CFDB10CFA8C9A57DDBBF2AF88794F548129E914AB354EB749845CF81

Function 02FA0A7B Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61569142609281edd8a9eeb9d12546e65cca50e5d51d1d7e37510daae6818c6
Instruction ID: 95eb92e099552a9b284a4a11ae9cc980696455486fb63b07d31303371ef1a752
Opcode Fuzzy Hash: b61569142609281edd8a9eeb9d12546e65cca50e5d51d1d7e37510daae6818c6
Instruction Fuzzy Hash: C0917BB07002009FD754AB7AE924B6E77ABAFC8344F14852DD906A7394CF389D45CBA6

Function 02FAEF28 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3046b8d50eae89058fd8c546f5e03943088b097146d9936bcde695f4f7f9305
Instruction ID: 6099928f9484baee89718d6930659f3f61dbeaea0ebaae5a480892ddc5edfb30
Opcode Fuzzy Hash: a3046b8d50eae89058fd8c546f5e03943088b097146d9936bcde695f4f7f9305
Instruction Fuzzy Hash: F39139707002018FCB88EB79D464A6E77F3AFC8254B654468E506EB3B4DE78DC42CB60

Function 02FA0A84 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce66d243e68ce36c46549a4515448c8972dfd0274e65ea1e4cd4d36541a39c10
Instruction ID: 6b612c80aecd5777570b76863e2d531800f1f3ed9b6554c5390560197b09a6d1
Opcode Fuzzy Hash: ce66d243e68ce36c46549a4515448c8972dfd0274e65ea1e4cd4d36541a39c10
Instruction Fuzzy Hash: C0916BB07001009BD754EB7AE924B6E76ABAFC8344F14852DD906E7394CF389D45CBA6

Function 02FAEF18 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 207f50b4aee03acea1e6e62f8832ce1ab511ad98666e4120cdafffd6275f5773
Instruction ID: 061a7b4f453f92b2acd95ec9597cc0c718ec0e4598eaed386b16e44a27a60f72
Opcode Fuzzy Hash: 207f50b4aee03acea1e6e62f8832ce1ab511ad98666e4120cdafffd6275f5773
Instruction Fuzzy Hash: 689139717002018FCB88EB79D464A6E77F7AFC8254B654468E506EB3B4DE78DC42CBA1

Function 02FAA1E0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ade9552b271c0f75668b0c56f77d8418702422af8d7476d02a145adac034a7c4
Instruction ID: 646f0841191d9e85f99703d12a2b5acc5e2fc38a5f41b742f0cb3d4bc3252b6a
Opcode Fuzzy Hash: ade9552b271c0f75668b0c56f77d8418702422af8d7476d02a145adac034a7c4
Instruction Fuzzy Hash: 38813D75B00209CFCB05DFA5D594A9EBBB2FFC8200F518125E906A7364DB38AD46CF51

Function 02FA5044 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f2db6851b1636439a771030a9492583079af574372070e0d1a79231a1872a9
Instruction ID: 494421859ce02e15350b54ef599d278626662cb9ebc667d48c2c97e84eb3289e
Opcode Fuzzy Hash: e7f2db6851b1636439a771030a9492583079af574372070e0d1a79231a1872a9
Instruction Fuzzy Hash: 70717CB1E00209CFDF10CFA8C8947EEBBF2AF48754F548129E515AB250DB749846CF91

Function 02FA5050 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1454eeff107da25e3aae51753f532c9329547fb5877dea0f660effa253dd2462
Instruction ID: 3f265d2e33f49813e9a5e03981c4d114e679c4bbf67f84a14ffc89d48becbbbf
Opcode Fuzzy Hash: 1454eeff107da25e3aae51753f532c9329547fb5877dea0f660effa253dd2462
Instruction Fuzzy Hash: 8B717BB1E00209CFEF14CFA9C8947AEBBF2BF88744F548129E515AB250EB749845CF90

Function 02FA8E90 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d604bff2a18291f376f2c5ed6efdad8f2ba84ac7cbb05007ec68c7d67eb2eb92
Instruction ID: 087514791181f0649cdf95895d64f93ffcd3efc72fff49a61cef22827eb2aee1
Opcode Fuzzy Hash: d604bff2a18291f376f2c5ed6efdad8f2ba84ac7cbb05007ec68c7d67eb2eb92
Instruction Fuzzy Hash: 8E517B71E0020A8FCB14DFA9C5906EEBBF2FF88340F248569D505AB355DB75AD468BA0

Function 02FAA1D1 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0e2cc7b374b7972cb8a15fd551f16ce2691902d5b33177f774b8cedaf99cf1
Instruction ID: 634c07a325296418172857d9b5a7a6df582cc4edd58fb8629fb4f244ef139a8c
Opcode Fuzzy Hash: 2a0e2cc7b374b7972cb8a15fd551f16ce2691902d5b33177f774b8cedaf99cf1
Instruction Fuzzy Hash: 4D515C74B0021ACBCB05DF66E59066E77B3EFC8200B618529D906A7364EF39AD47CF91

Function 02FA8F78 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dbb29fbb6de09e9ddf38f07eb2a56996e8bdcb12945a1cf8cca51c1646ad4b5
Instruction ID: 20fe161282b85fdb6ab0089c7dcb52c9b4d836833f1c27843dc1f883342ab544
Opcode Fuzzy Hash: 9dbb29fbb6de09e9ddf38f07eb2a56996e8bdcb12945a1cf8cca51c1646ad4b5
Instruction Fuzzy Hash: 1351DF70A102498FCB15DBB9C460AAEBBF2FFC5340F108569D905AB355DF74AC4ACBA0

Function 02FAC340 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1daa409864cc505e1235c0da68d945435e4b702ee70614ccb70df42beaab977
Instruction ID: 44739298a5a1d5e88860635383f160960392c6edf39dd203f37ccc1326a7791d
Opcode Fuzzy Hash: b1daa409864cc505e1235c0da68d945435e4b702ee70614ccb70df42beaab977
Instruction Fuzzy Hash: 6D41D0B0B002059FDB25EB3AE964B6E77A3AFC4780F144429D906EB394DF349C06CB95

Function 02FA91E0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1af42df7f88f6ac0041f7ed42cd0a04e3eb09fe05b0ba7efc19c23a7102354d
Instruction ID: bae212958875f315a166d0e5f75d81249f27812f125a8c0a8224b032102d2b36
Opcode Fuzzy Hash: e1af42df7f88f6ac0041f7ed42cd0a04e3eb09fe05b0ba7efc19c23a7102354d
Instruction Fuzzy Hash: D541C070A002499FCB15DFA9C460AAEBBF2FFC5340F148569D505AB355DF74AD0A8BA0

Function 02FA1EF0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1327aa2b2023f16669269382bd77f44bee94c695f65a5b42eebd4047c2ec94af
Instruction ID: a24550b71bc1e0edc7e9fa0acb9368c028e177dee9059c2b36f9dafc8cfb0a9e
Opcode Fuzzy Hash: 1327aa2b2023f16669269382bd77f44bee94c695f65a5b42eebd4047c2ec94af
Instruction Fuzzy Hash: 53416D70700011ABD744E669ED60BAF739BEBC8740F104679DA09E3784CE785E45CBE5

Function 02FAB5D1 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8385b7ace2e7ddd84be7684a5c8337a97a195047eab078b7b5c3a839be1914a2
Instruction ID: 7c1e6794f79112bb0a9102049ec218fda4d15d69730df980170d4f016f539b79
Opcode Fuzzy Hash: 8385b7ace2e7ddd84be7684a5c8337a97a195047eab078b7b5c3a839be1914a2
Instruction Fuzzy Hash: 2F417C71B002159FCB05DF79D994AAEBBF2AF88354F248069D905AB361DB35DC42CFA0

Function 02FAF898 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f71d29ea5498ba0bc32a52b8ea7dd8bbec68c9f9c32a1ce2b691c2dcf8cdd2
Instruction ID: 7e8f912a079da8d2a6f1176be2b89f05e242f8b03ab7188e10469348c081715b
Opcode Fuzzy Hash: a3f71d29ea5498ba0bc32a52b8ea7dd8bbec68c9f9c32a1ce2b691c2dcf8cdd2
Instruction Fuzzy Hash: 8A41B6B07002519FC715EB38D82072EB7E3AFC5354F148659C1498F392DF299C46CBA6

Function 02FAFA20 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6478440d51dda1ff2af3b122da32dde3d45d607317867f45785dd99e7a850e6d
Instruction ID: 4e0cce02f15efbb43789a2e075556e85248d1897eb9fc1cebaaa29aca4ac07a0
Opcode Fuzzy Hash: 6478440d51dda1ff2af3b122da32dde3d45d607317867f45785dd99e7a850e6d
Instruction Fuzzy Hash: 13416C71E0070ACBCB15DFA9C4605AEB7B2FF89340B608529D50AAF751EB35AD46CB90

Function 02FA94B9 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 255ffd7e2b5f105aef3a2aedbbb33c9c2b8b0d94004e5ab981a0ad3e8f90f97b
Instruction ID: a41d5431e9a47b856b004607f11b9d05d622e22faacfb1bd4b2386d56193b0fc
Opcode Fuzzy Hash: 255ffd7e2b5f105aef3a2aedbbb33c9c2b8b0d94004e5ab981a0ad3e8f90f97b
Instruction Fuzzy Hash: 03412975F002159FCB45DFA9D5A1AAEBBF2AF88250B508079E905E7364EB34DC02CF60

Function 02FABB22 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a88714bc488986e608940e873a5d0c718b1e0b04b9fa85ec2e771918a3006220
Instruction ID: db61cd73b4726834a111407a170ec96f3cdd4ec3c5d59fd3b4394c23956aee91
Opcode Fuzzy Hash: a88714bc488986e608940e873a5d0c718b1e0b04b9fa85ec2e771918a3006220
Instruction Fuzzy Hash: 27419AB5E002098FCB09CFA8C494A9DBBF2BF9C354B55C196D915AB266C730E841CBA0

Function 02FA0CC3 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1ac1ba3aaa34105e6de071700c6fe242d22ca1cb3b8fb198a6e99ec49bfa5cf
Instruction ID: 6c1a395015fa04cacf494ca0d5cc3265e8ce9ab5d6a128b65daf2529470bd1a1
Opcode Fuzzy Hash: c1ac1ba3aaa34105e6de071700c6fe242d22ca1cb3b8fb198a6e99ec49bfa5cf
Instruction Fuzzy Hash: 583184B47001019FD755ABB5D42C76E7AA7ABC8305F14463CD90B97388CF398C46CB65

Function 02FA91D1 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e43d53e560f76bf568a5a4e735c68fda8761ec0265d3997f9c44ea8d1cd91750
Instruction ID: 39ed274851452857f17676e21574fbd40933fced287c80eb2b62f0a6b7f6df0b
Opcode Fuzzy Hash: e43d53e560f76bf568a5a4e735c68fda8761ec0265d3997f9c44ea8d1cd91750
Instruction Fuzzy Hash: 8531AE70E002498BCB14DFA9C5905AEBBF2FF88300F148529D905AB355DB74AD06CB50

Function 02FA2B1D Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 048ed65ee63a9f8f66ad24f1ba384e14513da928f7e88a08d9bd41fa8ae54e06
Instruction ID: d5214455038f7ce6459b7950cb560b549e07bab35165a924583f09157aa24854
Opcode Fuzzy Hash: 048ed65ee63a9f8f66ad24f1ba384e14513da928f7e88a08d9bd41fa8ae54e06
Instruction Fuzzy Hash: 3A410DB0D00349DFDB14CFA9C994ADEBFF5BF48314F20802AE819AB210DB759946CB90

Function 02FA2B28 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708757e49c198b728d4b8a97a95dee08653db2dc98b36114be752c74e0341070
Instruction ID: c853671a531c8869dbc8619a4f19193fbf405e86c9f220179c630a06c896f0d2
Opcode Fuzzy Hash: 708757e49c198b728d4b8a97a95dee08653db2dc98b36114be752c74e0341070
Instruction Fuzzy Hash: 1841FEB0D0034DDFDB14CFA9C994ADEBFB5BF48314F20802AE819AB250DB75A945CB90

Function 02FA20A0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f46469dd53e14dbb0b294b0ff44a23f0fa2a81f7f1d933ea25e35270358d97
Instruction ID: 1f33fc9553fff670718f58c25073a07dfd3b274a31192252a3e092a7b902c1f3
Opcode Fuzzy Hash: 27f46469dd53e14dbb0b294b0ff44a23f0fa2a81f7f1d933ea25e35270358d97
Instruction Fuzzy Hash: 93217FB1B002049FEB199B74C9657AE7BF6AB89284F104069CA06AB260DE758D01CFA0

Function 02FAF778 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbdf70ba77c4a140da845ad9e02fa98cb23bc734f9484ceacfd02f3596dc8e0e
Instruction ID: d6e3545465757d3c4fd16565b74e4fb67822cc12583662025b4e483c66557b21
Opcode Fuzzy Hash: fbdf70ba77c4a140da845ad9e02fa98cb23bc734f9484ceacfd02f3596dc8e0e
Instruction Fuzzy Hash: AF218B70F002088FCB54EB79D590AAEBBF2EB88240B504179D109E7321DF399C42CFA1

Function 02FAF788 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ad9ead8b62882cc081111cda684544e6f32717286a0b3d186a804a8a701473
Instruction ID: 8897d064b9a9fa76b7e3692f737eba652b0250de123508a18cbb4cd313b81a95
Opcode Fuzzy Hash: 24ad9ead8b62882cc081111cda684544e6f32717286a0b3d186a804a8a701473
Instruction Fuzzy Hash: A5216970F002098FCB54EB79D590AAEB7F2EB88240B508169D509E7360EF389D06CFA1

Function 012DD214 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887042861363.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12dd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8b46260dcd06fef94024659e802e282ca78345c2449a2e7701644bb2a6374c
Instruction ID: 977508a905445b2deb4624b06eb5bfe2b868a05d4a92bedb566012a0fa0de4af
Opcode Fuzzy Hash: 4f8b46260dcd06fef94024659e802e282ca78345c2449a2e7701644bb2a6374c
Instruction Fuzzy Hash: 0F21F171614744DFDB068F98D8C8B2ABF65FB88320F24C569E9050A287C336D416CBA1

Function 013FD1F4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887043258885.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13fd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec7c50b82fde9fb2c3515cb27216ef0d40fbe93d30ebd4c8afd543d725787a1
Instruction ID: 3a9e8daf1eb5188d7163b27230683bbc9de99e0e8bc6c90e0353a774768005c9
Opcode Fuzzy Hash: 8ec7c50b82fde9fb2c3515cb27216ef0d40fbe93d30ebd4c8afd543d725787a1
Instruction Fuzzy Hash: D6213A75604244EFDB01CF58D9C4B25BB65FB84328F20C56DE9094B342C337D405CAA1

Function 013FD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887043258885.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13fd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd91bd68763a4b0ab02403bbf4c6c5c20be4f03fd771e7b3da891e70fd4193eb
Instruction ID: 3060af427402827d5847045e9073f31ba015206f0c4ceeb249fb7fb40b756033
Opcode Fuzzy Hash: fd91bd68763a4b0ab02403bbf4c6c5c20be4f03fd771e7b3da891e70fd4193eb
Instruction Fuzzy Hash: 3D212671604245DFDB11DF58D888B2ABF65FB84328F24C66DEA094B346C33AD406CAA1

Function 012DD20F Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887042861363.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12dd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb5020e80be1d5980a361bf0271ed6dcdaa4c109daa22f94ef83970e0d1dbae
Instruction ID: 07e1880b0845698422054c6d4db05379158a20792c318bd2edf733a899491b00
Opcode Fuzzy Hash: feb5020e80be1d5980a361bf0271ed6dcdaa4c109daa22f94ef83970e0d1dbae
Instruction Fuzzy Hash: 9821AF76504684DFDB16CF54D9C4B16BF72FB88320F24C6A9D9090B69BC33AD416CBA1

Function 02FA9135 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ac0ae18412d9ea5acd7a4fc3e9191ab18a6eb7c66a307a7bde080c0712d52a
Instruction ID: 35b39f3cb9d4215d6b57dfad6cf62c43b1b25fd62cd1a4858cbcdf9fb2bc70c4
Opcode Fuzzy Hash: e8ac0ae18412d9ea5acd7a4fc3e9191ab18a6eb7c66a307a7bde080c0712d52a
Instruction Fuzzy Hash: 3501F5307152859FC3069334E865ABE3F63DFC3250F0441AAC446CB3A2CE281C078BA1

Function 02FA9420 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d7fa1ab610de8131ae2331b5eaebc0ab01860e6eaefa352dc31f6350feed47
Instruction ID: 4fd929c7d8b37eb5528562b377ace5c5e6e41571ce45a86c2032712e43b23361
Opcode Fuzzy Hash: 33d7fa1ab610de8131ae2331b5eaebc0ab01860e6eaefa352dc31f6350feed47
Instruction Fuzzy Hash: 3A11E931D1538A8FDB118BF8C8914EDBF71DE8A310F1986A6C540771A1D674219FC761

Function 02FA09C8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6480d52bf896e4d0c4ce5489212d211e76b3a837441249341c668639fc68f816
Instruction ID: c7b8ebe0bbf5c86af445b60a15f0188b3994835c72e952914fe3539c2d34ced3
Opcode Fuzzy Hash: 6480d52bf896e4d0c4ce5489212d211e76b3a837441249341c668639fc68f816
Instruction Fuzzy Hash: D8112570B10254AFC754EB74E874BAE7BB6AF85680F00456CD106E7391CFB94C06CB91

Function 013FD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887043258885.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13fd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb03b8dde76749e020b4b6ebad319b77e7c643208bfb38e4df60341f0924cba5
Instruction ID: 8a7fb1d41be2daed4dabe5eaacd5e5bcdd9ef119e5dcfdd5568da9fa13b52399
Opcode Fuzzy Hash: eb03b8dde76749e020b4b6ebad319b77e7c643208bfb38e4df60341f0924cba5
Instruction Fuzzy Hash: A0119D76504284CFDB12CF14D988B15FBB1FB84324F24C6AED9494B656C33AD40ACBA2

Function 013FD1EF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887043258885.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13fd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0c4872210ae0f8ee493cda335806ddb465c103960980803bc1f3cd69764d99
Instruction ID: 00ac1b5c6e96ca2f6bff11ab5f445d1b5f45a416cd262daf80a2d5777a2e0f08
Opcode Fuzzy Hash: 2a0c4872210ae0f8ee493cda335806ddb465c103960980803bc1f3cd69764d99
Instruction Fuzzy Hash: 46119079604280DFDB06CF54D5C4B15FFA1FB44328F24C6ADD9494B656C33AD44ACB91

Function 02FA09D8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05be67605fc5cd35f7477c48a729c5145495d60d3480d13252fb5fb531c35f9c
Instruction ID: 8e1ac00ef2855362d91d42be86e26cc8756f7607c164854ea163e58c155747c2
Opcode Fuzzy Hash: 05be67605fc5cd35f7477c48a729c5145495d60d3480d13252fb5fb531c35f9c
Instruction Fuzzy Hash: BA01F570B10215ABCB14EB75E824B6EBBA6AF85780F00452CD106E7390DFB85D06CBD1

Function 02FA0E85 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b09dc149b99968a4497ada32f88dae8369b23756b3ee081ed6eae0b166d58d
Instruction ID: 0c2c04a5526a27940c7ad2217f1de915bb634107e58b789fef608a6a70a186c8
Opcode Fuzzy Hash: b9b09dc149b99968a4497ada32f88dae8369b23756b3ee081ed6eae0b166d58d
Instruction Fuzzy Hash: E201D8A0B14246CBDB225770A578379BE93AF89354F14435DC19A4B28ACF75888AC746

Function 02FA9611 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091c3d13c3b0d6620e6153172362d90b0a4165dfe4dba957092b1b0a4cf0d0c8
Instruction ID: e93fc9d4a311c773b669614835a3d4a7b210a1c20d8a8bdffd4e47508062624c
Opcode Fuzzy Hash: 091c3d13c3b0d6620e6153172362d90b0a4165dfe4dba957092b1b0a4cf0d0c8
Instruction Fuzzy Hash: A30112309193849FD743DBB499A25D87FB1DE07100B1485EBC8C9D7692DA380D0BCBA2

Function 02FAA631 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4b3d5e4fc6e306b7b00bb44fd1f7eada74cc682de1effaddc3e70279406ccea
Instruction ID: 21e5504c28b060874c9e7b1aeeff0e9c8f47a9fbac86c5fb61ae3810621f207c
Opcode Fuzzy Hash: f4b3d5e4fc6e306b7b00bb44fd1f7eada74cc682de1effaddc3e70279406ccea
Instruction Fuzzy Hash: CD01B132D1124E8BDB05CBA8C8504EEFBB2EFCA310F194766D511772A0EB70258BCB90

Function 012DD86D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887042861363.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12dd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c44b19e6358fc35ed96b53479caef0bb320f9848cd82d21056b2cba4dfc98ec
Instruction ID: 57264fdf965d89336a74d3220008074293c0a3fe91bdd2fb71cc98170647416b
Opcode Fuzzy Hash: 2c44b19e6358fc35ed96b53479caef0bb320f9848cd82d21056b2cba4dfc98ec
Instruction Fuzzy Hash: D501F731014788AEE7124A59D885B66FF98DF41724F14C016EE4D9A2C3C3B99841C6B1

Function 02FA939D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed5b08cd5cda4b72dd3bfd71a0b3e1edff73249ad39114a0188e24707365a85f
Instruction ID: 57f5edf718003adf89afcebec7b8b788342e605e831488e46fea1fc28965ff0c
Opcode Fuzzy Hash: ed5b08cd5cda4b72dd3bfd71a0b3e1edff73249ad39114a0188e24707365a85f
Instruction Fuzzy Hash: 8101C8317053455FC752E778EC64A7E3BA3DFC2350B0941AAC44ADB396DE285C0B8BA5

Function 02FA1EE0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589aa4003c597c64f54e4d111c91d5de9f0152a317f17ddfb3515c1a29aff717
Instruction ID: 0e54900e84af5a6f3d7156a8d64adc285cd9a13e17c83e3b3f04229dc25b085c
Opcode Fuzzy Hash: 589aa4003c597c64f54e4d111c91d5de9f0152a317f17ddfb3515c1a29aff717
Instruction Fuzzy Hash: A7F0F471E001599FCB109778AC647EF3BFADB85290F0005B5D508D3200DB345D02CBA1

Function 02FAA738 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2608ed48bcaceefe0ad4315021003916fa54ae55032aa273923ba8a40a1a8865
Instruction ID: 530d09d1e3ae5b4f9f2ea42567003f0faf94150817e7fe2a100906251f89c0e9
Opcode Fuzzy Hash: 2608ed48bcaceefe0ad4315021003916fa54ae55032aa273923ba8a40a1a8865
Instruction Fuzzy Hash: A4F02872A20149ABDB169774C4765EFBFF69F44300F048425C942BB280DE745906C7E1

Function 02FAA578 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5d391f15c6af2600a3993852af95eb8967a0b5075a6e36bc17233a906cc456
Instruction ID: a9717f94220a7ec8babe7d3219f648ac7a1e457b15bc85708b81f874bc9c894b
Opcode Fuzzy Hash: fd5d391f15c6af2600a3993852af95eb8967a0b5075a6e36bc17233a906cc456
Instruction Fuzzy Hash: B8012DB0D0424DAFCB41EFA8D95169DBBB1FF49200F5045AAC445A7351DB746E45CF81

Function 02FA08F8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8403f2f5a17e5ae18fede93f7fd3c3d58aef62c6e196b020b570648ea0d1c33e
Instruction ID: d529dda19aee1711411d201166433dfe855e05abc34acb7dd549757a879c5abb
Opcode Fuzzy Hash: 8403f2f5a17e5ae18fede93f7fd3c3d58aef62c6e196b020b570648ea0d1c33e
Instruction Fuzzy Hash: 97017C7191424DDFCB02EFB9E48599C7FB1EF4A300B1089A9C455AB362DB381E46CF51

Function 02FAFB98 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d64451d63ad7030cd9d52b276269a645819fd68253d3a1d700b87376f5d9af
Instruction ID: df02d674c28a47c8f4bd91634896129d809c802e7d84717dd3f8af07070d53f9
Opcode Fuzzy Hash: e2d64451d63ad7030cd9d52b276269a645819fd68253d3a1d700b87376f5d9af
Instruction Fuzzy Hash: F2014B71D0074ACBDB09CF95C46059EB7B2BF86340F218619D905BFA10EB71AA46CF50

Function 02FA9740 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b918e1a4f50d0b7bc3501aa65e342e4ec2a390c7f0cafd79f55ad3c6b3a8772c
Instruction ID: bac4b23dfd00fa2141d5a261a9b0ebb1183f81a7f60d36da330dacece1f99baa
Opcode Fuzzy Hash: b918e1a4f50d0b7bc3501aa65e342e4ec2a390c7f0cafd79f55ad3c6b3a8772c
Instruction Fuzzy Hash: 33F02231A000899BDB169B74C461AEFBFB69F84300F05883AD843B7281DEB41807C6A1

Function 02FAC50B Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e262ed9b058096e0824491c9ff8e77d0658c181c506db4705e5cf2db70cd2bcd
Instruction ID: 05a9043225213d540f42e12538de7193db46a6bcdb86cfeb9aed7b20c919f712
Opcode Fuzzy Hash: e262ed9b058096e0824491c9ff8e77d0658c181c506db4705e5cf2db70cd2bcd
Instruction Fuzzy Hash: E1016DB1B042058FD724EB25E874B6E37B3AB84380F140529D506A73A0CF785C46CFC4

Function 02FA9448 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b76ff6f0b60fc907c98239217201c4146a8ff6b31fff7c11140eb8aabdf4e1
Instruction ID: 5a0b4a693808bb003c504a8b7cbea04174dc5b5893a476db41dd2b4f6199a429
Opcode Fuzzy Hash: 10b76ff6f0b60fc907c98239217201c4146a8ff6b31fff7c11140eb8aabdf4e1
Instruction Fuzzy Hash: 32F04F32D1164E96DB10DBA9C8404EEFB76EFCA321F554721D610371A0EB70218ACBA1

Function 012DD86C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887042861363.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12dd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f345faa8b6f91fc8f491992820004cc1626f52b63171fb0c69a313b2d83d79
Instruction ID: 0cc592e7417d09bcfda063d0390d9e2befc422a346032dc5ab0b6b2777f62e3b
Opcode Fuzzy Hash: 44f345faa8b6f91fc8f491992820004cc1626f52b63171fb0c69a313b2d83d79
Instruction Fuzzy Hash: 67F06271405744AEE7218A1AD884B62FFA8EF41724F18C55AFE4C5B2C6C379A845CAB1

Function 02FAA48F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f08d1f9e7c1f60d1e7fa3b9eb019b32fb891701dcf1d64858c69d7f9f348bae
Instruction ID: ba3d3bf473e22cf952981a49631d9552465f8dca8bd337e469d8f487a8b0b96e
Opcode Fuzzy Hash: 0f08d1f9e7c1f60d1e7fa3b9eb019b32fb891701dcf1d64858c69d7f9f348bae
Instruction Fuzzy Hash: 47018CB1E02208DFDB05CF98E540ADDBBB2FF88210F0540A6E905AB225C3749E89CB50

Function 02FAA588 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d3f80b0bc3829202da44b2b07e61c4a4f0c24d038f78b0539c0e2095ebf560b
Instruction ID: 9dd33d88c74679f4855a30f71fb1f55d7262c580300dcdf4a9fc308b3580de12
Opcode Fuzzy Hash: 1d3f80b0bc3829202da44b2b07e61c4a4f0c24d038f78b0539c0e2095ebf560b
Instruction Fuzzy Hash: 1E0196B1D0020DEFCB44EFA9D951AADBBB1FB88604F5085A9C415A7350EB746E458F81

Function 02FAA508 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c7736f967050fa83e1d9361c6abb1fe35c6419729f585fd3213f893342608a
Instruction ID: df0dde14614f9758fd7dc304091148e3b7a5362b778048a1fd112030e810722b
Opcode Fuzzy Hash: d0c7736f967050fa83e1d9361c6abb1fe35c6419729f585fd3213f893342608a
Instruction Fuzzy Hash: B8F08CB1B181519FD749A734B8B4BAA37E3EB882907000969C54ADB3A0EE285C028FD0

Function 02FA0908 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe4d60e57ad5f9e083ebddb3d26bb69cc167fc66d13c1d8ad3e039dba8eafe8
Instruction ID: 9854ecb400638c023a6991aae38348462c82430a69c028ae9ac883ce243f3d0c
Opcode Fuzzy Hash: 7fe4d60e57ad5f9e083ebddb3d26bb69cc167fc66d13c1d8ad3e039dba8eafe8
Instruction Fuzzy Hash: EC01697190020DDFCB01EFB9E445A8D7BB1EF48300B5089A8D445A7362EE3C2E46CF91

Function 02FAA748 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5052d9b03a19d403bb935350414a6206099e864491a41a15b297f1933da7fc7d
Instruction ID: ab7757a0ad5d11ba6f9b76e0a8c90794cca29cc1845548f9e3c505f993c3d692
Opcode Fuzzy Hash: 5052d9b03a19d403bb935350414a6206099e864491a41a15b297f1933da7fc7d
Instruction Fuzzy Hash: FEF0E272A1010DABDB14DB64C4259EFBBBA9F84340F018826C913B7380EE74590AC6E2

Function 02FA97C8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 626965596857d31a3cdf8103240e1aa89216fb4ae15570758f6f45bfdb3f2fa8
Instruction ID: 422dec68001cf66ebfd1d638066ca540cab8820299e90623fed29e25b9ebd462
Opcode Fuzzy Hash: 626965596857d31a3cdf8103240e1aa89216fb4ae15570758f6f45bfdb3f2fa8
Instruction Fuzzy Hash: F4F0BB3152438C9FDB02DFB8D8515AD7BB1DF45300F5045A9CC85972A2DE381E078B61

Function 02FA0838 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef15e183b86492fcd8f66a8ccd3774ceed143c408ac80e8dbcff9b0054d50a5e
Instruction ID: 49ff701ba6b6b12feab50cdc2be80168287e6c931162225804f0f44b13367b00
Opcode Fuzzy Hash: ef15e183b86492fcd8f66a8ccd3774ceed143c408ac80e8dbcff9b0054d50a5e
Instruction Fuzzy Hash: 94F03C3421128DDFC306EB39E99685A3B31EB4C70474149A8D4418B176CE3C2DCACB82

Function 02FA1E48 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba85235f9d3d935a1e0eeafd99f5ae96ac9b5b4ff5554e483f70f124f04899dc
Instruction ID: 99a0fed03f9923cbf5ab9c276f0e019f1c94ee4a0295ca687bd4f0fdba3d60a5
Opcode Fuzzy Hash: ba85235f9d3d935a1e0eeafd99f5ae96ac9b5b4ff5554e483f70f124f04899dc
Instruction Fuzzy Hash: 99F0E538A143449FDB25ABB0A8B89BE3BA5EE4A380F0404AED546C3250CF649C01CB96

Function 02FAA518 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e01e0283a7f69f11f5c5a9b33f8e30bdf77467b228212259b2bf3842ee969c
Instruction ID: fc1af01086feed5fc87350a31337b9d76d412e076bf7d004ba3b3577cff8c67b
Opcode Fuzzy Hash: d1e01e0283a7f69f11f5c5a9b33f8e30bdf77467b228212259b2bf3842ee969c
Instruction Fuzzy Hash: 69E012B1B151155BC744F775F874A6E3397EB88650B000969C506E73A4EF78AC418FC4

Function 02FA0848 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a3b7b1d9f18d8c41864598b4fc588a433e8246499515148f523e0ee7e8fa73
Instruction ID: d966b43c95809d9091edadaa99c8d736d7b95405103ed57322e50ccf5b72dddc
Opcode Fuzzy Hash: 81a3b7b1d9f18d8c41864598b4fc588a433e8246499515148f523e0ee7e8fa73
Instruction Fuzzy Hash: 77F0FE3531120DDBC706EB2AF94581A3725FB8C708B4049A8D41287276DE7C3DCACF91

Function 02FA97D8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d3e7eb483bed0b8ce1cd65bdf7ef114a5703cfc7c09f500aa6be4d78c81c24
Instruction ID: 039b68e9219f6bc4eff2927f85a37b276497aed3b8741d899b9b353adbcb425e
Opcode Fuzzy Hash: 56d3e7eb483bed0b8ce1cd65bdf7ef114a5703cfc7c09f500aa6be4d78c81c24
Instruction Fuzzy Hash: ADE06D3162024DDBDB01EFA9E84169EB7B5EF88300F904568C806A7391DE3C2F065BA1

Function 02FA1E58 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e01dadcac662c6348dd2e99819b1bb210f42d9a0a04590f1c098e1c723a245bf
Instruction ID: c37c2c3c64064c45b7de6c1220d1790530ebf1d730791927c7671808af7bec2f
Opcode Fuzzy Hash: e01dadcac662c6348dd2e99819b1bb210f42d9a0a04590f1c098e1c723a245bf
Instruction Fuzzy Hash: B5E04F78B10218A7DB247BB2A868A2A779AEB49785F040468DA0683340DF64AC008BD6

Function 02FAA4D7 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ba98fc1ede60a730d8080983da2451b6bf32dee69e39719154fb6fca1526351
Instruction ID: 291dd01a972fb9cc4a95b573fe7225fa002c886bb2a7ecd980a022a9a6cfcd51
Opcode Fuzzy Hash: 5ba98fc1ede60a730d8080983da2451b6bf32dee69e39719154fb6fca1526351
Instruction Fuzzy Hash: ECE0863221C1C45FC30297A8D865849BFE9DF8B110308C4E6D58887352CA20AC22C7E1

Function 02FA9640 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db71f7d9848bb3fa6a0bc89a6e0c9a40dbdd1d39d606dca64c20dccec14ec676
Instruction ID: 98144f67db15abe0ffa1e6cc7160716ecf4ba5dba1b872bdc5189db0e59aebdf
Opcode Fuzzy Hash: db71f7d9848bb3fa6a0bc89a6e0c9a40dbdd1d39d606dca64c20dccec14ec676
Instruction Fuzzy Hash: 24E01A70E0120CAFCB40EFA8D95169DBBB6EB48700F5045A9C809A3350EB381E419B91

Function 02FA1EA7 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fb84b7725744719c54f80e5b659cb1b849cb08f179b3caaedd17b58d309f62a
Instruction ID: d1e9f3f60ada7fb53b3170ce831a89224d7e27aa144f5ca3d0f1a101da7dbd4e
Opcode Fuzzy Hash: 0fb84b7725744719c54f80e5b659cb1b849cb08f179b3caaedd17b58d309f62a
Instruction Fuzzy Hash: 42D02E32F043882FCF111B7158A26E83FB0EE5228070608EAC1C98B162EE208803CB80

Function 02FAF231 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d2b94c73601057078b4564aadf461040c46d6823710176c5199d4644acb99d
Instruction ID: 8639a469420255f2787feb1b72c46dbe25024a39c6ed5ce0615ed31782102b9c
Opcode Fuzzy Hash: 60d2b94c73601057078b4564aadf461040c46d6823710176c5199d4644acb99d
Instruction Fuzzy Hash: 1EE0C2B1940209CBEF308FA0D1683ED7BB0EF453A9F500428D501BA940CB3A8485CF90

Function 02FAA820 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 787d1495c864b92a23199f32a70fbd7d4592e29a05de61598443aab2d3c2e89a
Instruction ID: 23b670ffd69dc69c502c676723414a1f5e367146def5d50d255e9843a1895438
Opcode Fuzzy Hash: 787d1495c864b92a23199f32a70fbd7d4592e29a05de61598443aab2d3c2e89a
Instruction Fuzzy Hash: A9C0921011E5E00FD78702BC0CE22E07F61CCC300938E8DE380C89E7A2D865084B8711

Function 02FAE6F0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6374d6c1f333bbf57b842851add8a8f90c59050092be3ce6b3250e428996a00a
Instruction ID: 857a25b15da77752ac104709b120c480064145237d17bec49b40c6262b38ce4a
Opcode Fuzzy Hash: 6374d6c1f333bbf57b842851add8a8f90c59050092be3ce6b3250e428996a00a
Instruction Fuzzy Hash: 48C0025951E6D54FD743937409B51953F21DC5B08135E45D7C1D6CF2A3C60445079362

Function 02FAEF00 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0a0e9bce92ba8f99b2f70de69c68f1e27be108529cd5e72353b50daad74f7b
Instruction ID: a8e054e7ad5cb5bc5fbd2c1c50831b773d2c3744a1c658e6e6d9d69adf2de0ea
Opcode Fuzzy Hash: cb0a0e9bce92ba8f99b2f70de69c68f1e27be108529cd5e72353b50daad74f7b
Instruction Fuzzy Hash: 19C0488251E2C04FE34703760CB20E97FB1DC83100BAF8AEA81C8CBA63E008451BD752

Function 02FAA4E8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e1fd4f8f2652f8b49ea73741ffb131c4c26e35f2ca1ace0ba80efde9aac7f99
Instruction ID: 8398878447b6155003a3baa7e82409d23be34e54f115ba5ab81bf298a0b0e753
Opcode Fuzzy Hash: 9e1fd4f8f2652f8b49ea73741ffb131c4c26e35f2ca1ace0ba80efde9aac7f99
Instruction Fuzzy Hash: 01C080367000189B8704DA59E414C5AF7DE9FCA560310C036DE0DC7304DE31DC1387E4

Function 02FA9971 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9daa5d22fb8125fbb87c5c6dc624e75d4399da14a14712441fe4a67163436d14
Instruction ID: 18b5551b2d9ef70c2d06ab1056087448fa89b9540cdec7b8ee626a9fa884ec5d
Opcode Fuzzy Hash: 9daa5d22fb8125fbb87c5c6dc624e75d4399da14a14712441fe4a67163436d14
Instruction Fuzzy Hash: 47C0480516FBE59EE30383B40DA1490BFB88C5308074D88DBE4C8CA4A3C008166FD332

Function 02FAD281 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a69c393792668fa7f63567ddc2d8023bfb49ef1448cca57232f91eb9271f39a8
Instruction ID: 3710610d6a93db6782d287ee21a5492668bf7f485dd3b96db709f24493e03c00
Opcode Fuzzy Hash: a69c393792668fa7f63567ddc2d8023bfb49ef1448cca57232f91eb9271f39a8
Instruction Fuzzy Hash: 53C04852A1E3D18FC3074B7548A86813FA8DE9791030984EBD4C19B0A3D914891BCB65

Function 02FAD261 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd7c52c5ba3c3a57b951070f680349014e71e0dc8d72f58d9802a77280295ea
Instruction ID: 1b73e545ae16dda8a987c6908cb2b97364914d0053a3ecd20ccf5750c310018d
Opcode Fuzzy Hash: 6fd7c52c5ba3c3a57b951070f680349014e71e0dc8d72f58d9802a77280295ea
Instruction Fuzzy Hash: F2C092109997D0AFC7520FB4C9E64C13F78DA9BD2131805C6D1C28B853C418545FC310

Function 02FAD360 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e188e11dcb18bc1fb3830d19afe2b09c0e023a70fb698dfdc55a5ef4788ef101
Instruction ID: acc17d98d736e498935476f6d477b6bafeb8b313c04b42c0ea31715c529fe934
Opcode Fuzzy Hash: e188e11dcb18bc1fb3830d19afe2b09c0e023a70fb698dfdc55a5ef4788ef101
Instruction Fuzzy Hash: 5BC04CA6AAD7D08FC74347B408B50D17F78DD2718070946DBC0C58B553D5655416CBA2

Function 02FAF880 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b512f35c088a0c4a9a02f9c427f0f87cd9a4423d964f660bc92de1e368f2abb3
Instruction ID: 37b56c0a2b19210f1166f9dcac0c3622e6a74a50a5a5aedd7aeafcdfadecf69b
Opcode Fuzzy Hash: b512f35c088a0c4a9a02f9c427f0f87cd9a4423d964f660bc92de1e368f2abb3
Instruction Fuzzy Hash: 88B0925681A3C20EC78266300CF20C63F228CEB09639E93D6C58A8AA22941758038291

Function 02FAC010 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd97648549425a667a38316e754e60c6c7d456b9098bcfaf9388a0b694aaf139
Instruction ID: 41424c0020a359daace3f9e0227bbcadabc9aaa2e6d3943e9f45476768e200a6
Opcode Fuzzy Hash: fd97648549425a667a38316e754e60c6c7d456b9098bcfaf9388a0b694aaf139
Instruction Fuzzy Hash: C2C048212AF2C00ED38B033409B20D83F21CC8300A39EC8EAC0C88A567C106400B8311

Function 02FAA1B1 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de05a0ff9b145309b14cd6032cc47bd68eecdb85a3b3a9e190e93c329d3db32
Instruction ID: 8f5866347f4e94f595868c94b198c340a89d52aa9fe9542ac26a07e016a49e21
Opcode Fuzzy Hash: 9de05a0ff9b145309b14cd6032cc47bd68eecdb85a3b3a9e190e93c329d3db32
Instruction Fuzzy Hash: 20C0484505E2E10FD70B437808F24983F21DC8740438E89D680C88E6A3C51814238242

Function 02FAC180 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081c166fae09bf0dba59695760766e65c335aedffcf95fdc43bab06d0d97793c
Instruction ID: b8efb08962ddcc453c52d6b1917b5756d2431885969c1632d427a4548e5688e0
Opcode Fuzzy Hash: 081c166fae09bf0dba59695760766e65c335aedffcf95fdc43bab06d0d97793c
Instruction Fuzzy Hash: 25C0482426F2CA0FE747A3B808A58C83F72DC8741479E84EA80C88B567C059684B9325

Function 02FAE6D2 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8669f6384a3cf4827b6f37b2a08b5f597b4e488f8fe3c6937ac015bec10b301
Instruction ID: 91948f468f0b4b6504ca492f67ee6cb7ff5a8db1009816066c29e287740f3106
Opcode Fuzzy Hash: d8669f6384a3cf4827b6f37b2a08b5f597b4e488f8fe3c6937ac015bec10b301
Instruction Fuzzy Hash: 88C0481166E3E18FD3078B704DA95817FAADE8B91130844EFC4C59F062C4190897C365

Function 02FAF6D0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03aa63f7a44ad0bc14c9e303c8e839345bf502330e83e64da130edd7f4e4e13c
Instruction ID: 74985d70d87321acb9c84637e33a5a91b3e4800fef6f48292d4823bdf2058662
Opcode Fuzzy Hash: 03aa63f7a44ad0bc14c9e303c8e839345bf502330e83e64da130edd7f4e4e13c
Instruction Fuzzy Hash: 98C0484294E6C14EC702A3700CB60EA7F608CAB08238E85CAC1C68B666D11A1103A2A2

Function 02FAC030 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4edf7211b8b74b7f771bd84ac18ecf88955e782c6c77223ebaa2230436b2f498
Instruction ID: 66996613c9ad6da8bef077d7490c337fa9b48b516303bfd559d515887ec7641e
Opcode Fuzzy Hash: 4edf7211b8b74b7f771bd84ac18ecf88955e782c6c77223ebaa2230436b2f498
Instruction Fuzzy Hash: 95C0481111E2C00FD7430B340CF21A43F60CC8700839E54D280C88E163C50490578306

Function 02FAB4E1 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22b78441fedb0bc2100037b4cc94cf6f71a10482ee783f90333c98fd1e7d1cd6
Instruction ID: 57a7ecdf0888009c0d88ba614392fbaaf53a874ffd646b91c8c37189b2959c3f
Opcode Fuzzy Hash: 22b78441fedb0bc2100037b4cc94cf6f71a10482ee783f90333c98fd1e7d1cd6
Instruction Fuzzy Hash: 8DC0484580E2E10FC783423408B25C43FA29C974143AE9CDA90C5CB1B3C40A18138392

Function 02FAA610 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f555f5861dcde72ce3ac28a5d49b3b7100994e0e1e721e668d1614b047fec0e
Instruction ID: a54126d54b2a34ffb37c3f5b08af00c8185faa1a6ba675a6e3c657831fbe712f
Opcode Fuzzy Hash: 8f555f5861dcde72ce3ac28a5d49b3b7100994e0e1e721e668d1614b047fec0e
Instruction Fuzzy Hash: 19C04C919093D59FC7534B60A8B54953FB4999AA10B1940FED88246167E11D086BCB52

Function 02FAF761 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc099da3c952e171fcdf1031af7a6c77fae46d5494dc5f4bb27ec60ac341f6b
Instruction ID: bca39b3eb744c435d5193cba7792c3c90afbc77a98463827f81a6c9d8bb4e1ef
Opcode Fuzzy Hash: bdc099da3c952e171fcdf1031af7a6c77fae46d5494dc5f4bb27ec60ac341f6b
Instruction Fuzzy Hash: DDC0924500E2D08FC30B53300C764CABFF14C8700078E8DDA80C9CB653C05901069752

Function 02FACF10 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0567e9838c8a96beb12cdbad7185bb015559f89a2ce26112c0d0c5fb9512413a
Instruction ID: 534b4005cc2d38906ae7180a2445de6e8b8a8ca6f7e397e0132bc059a2395794
Opcode Fuzzy Hash: 0567e9838c8a96beb12cdbad7185bb015559f89a2ce26112c0d0c5fb9512413a
Instruction Fuzzy Hash: 6DC0920901D7C44FC35343780DAA0943FB0CC431047DD41E7C2D08FAA3D1081427A392

Function 02FABCF0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7abda621cbe59571153916bc63ef40deac34ae815d5e275d129a75be4aad694f
Instruction ID: d717a450fe23a99371f03f2f5983f91fbad97d95815b6bd6b0bdbc19c53d21d9
Opcode Fuzzy Hash: 7abda621cbe59571153916bc63ef40deac34ae815d5e275d129a75be4aad694f
Instruction Fuzzy Hash: 91B0124205E2D00BDB8317B84CF18E43F62CC8201C3CF40C3C4CDCD143C80481834210

Function 02FADAD0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315e052c967e537d397571b49fbe76f6f0ca1ae0f61b5ac8d38f012357fc53e8
Instruction ID: 3462a172840a006d58040d59fd99f108116bba5999fbf3e1f8f57b0920820b2b
Opcode Fuzzy Hash: 315e052c967e537d397571b49fbe76f6f0ca1ae0f61b5ac8d38f012357fc53e8
Instruction Fuzzy Hash: A9C04CA191E7C1DFC70287754C784E1BFA4AE1B16174842DBD1E08B4E6E6241411D756

Function 02FABC80 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e50b13cfaed9fc60c4585e5c44b76fba3d39bd1df00aa9872fb1dc24bf101b69
Instruction ID: 63907fa349407a3beb3f54258e2ae86b078bfddb0d493d6e0718f3b4aaae5b5e
Opcode Fuzzy Hash: e50b13cfaed9fc60c4585e5c44b76fba3d39bd1df00aa9872fb1dc24bf101b69
Instruction Fuzzy Hash: 3DC092A1A1C2E18ECF03C732A8780A0BF755E1334234A44FFD085DB5A3E27C8814EB11

Function 02FAC83A Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd79763e37b5f3c92e16ebe23e4874395444642a4e6e00033c268b9a7dc66a17
Instruction ID: 545020faa86fe5426bacd30abd560fe03e7be7a006e329f3795015c4036d5ff6
Opcode Fuzzy Hash: dd79763e37b5f3c92e16ebe23e4874395444642a4e6e00033c268b9a7dc66a17
Instruction Fuzzy Hash: 29A0021A6161C012DA964F25DCD5AD32F1DD6C5E5066451E599DA196075001085BCA60

Function 02FAC8DA Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae2f6f250a359319bfc62e2e2174fc458c40d858884e5be7855ad53b83acd2b
Instruction ID: 44bd32d00a64457e58c5f6822454d47756a2088e622dd38e681607aac9d6ba7e
Opcode Fuzzy Hash: 5ae2f6f250a359319bfc62e2e2174fc458c40d858884e5be7855ad53b83acd2b
Instruction Fuzzy Hash: 0EA002140155C04FD556456806591D47BD098821057DC44E291498E111920440036594

Non-executed Functions

Function 02FAAF49 Relevance: 7.8, Strings: 6, Instructions: 299COMMON

Download Yara Rule

Strings

Ljn, xrefs: 02FAB054
Ljn, xrefs: 02FAB048
Ljn, xrefs: 02FAB017
0on, xrefs: 02FAAFA5
Dqn, xrefs: 02FAAFB1
Ljn, xrefs: 02FAB023

Memory Dump Source

Source File: 00000002.00000002.887044795850.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0on$Dqn$Ljn$Ljn$Ljn$Ljn
API String ID: 0-2156403162
Opcode ID: 70299de73d104cc1499b973b917d4e28a46f5fbbe5275d84bd54fc5cbae0b4c0
Instruction ID: e87bb8ef07fb10676e85d2eee4fbb71f460f337c8f6428156b696f722c17c3e4
Opcode Fuzzy Hash: 70299de73d104cc1499b973b917d4e28a46f5fbbe5275d84bd54fc5cbae0b4c0
Instruction Fuzzy Hash: DEB16671B10101CFDB44DB79D868AAE77F2AF88658B2580A9E906DB3B1DF34DC46CB50

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report L814CyOxMT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\L814CyOxMT.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

C:\Users\user\AppData\Local\Temp\downloadedFile.exe

C:\Users\user\AppData\Local\Temp\tmp6926.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp6927.tmp.dat

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
L814CyOxMT.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre